diff --git a/.gitignore b/.gitignore
index 9727c32..d457918 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/unbound-1.4.20.tar.gz
+SOURCES/unbound-1.6.6.tar.gz
diff --git a/.unbound.metadata b/.unbound.metadata
index f3dbd41..4ccc03d 100644
--- a/.unbound.metadata
+++ b/.unbound.metadata
@@ -1 +1 @@
-1752976533be2a4f0c9cdbab9d2cbb67d4f27c43 SOURCES/unbound-1.4.20.tar.gz
+d205c03a402f5d900d5bad3d036849a12804a49e SOURCES/unbound-1.6.6.tar.gz
diff --git a/SOURCES/icannbundle.pem b/SOURCES/icannbundle.pem
index 48941de..d76ce0b 100644
--- a/SOURCES/icannbundle.pem
+++ b/SOURCES/icannbundle.pem
@@ -78,92 +78,12 @@ j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 2 (0x2)
+ Serial Number: 11 (0xb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
- Not Before: Dec 23 04:45:04 2009 GMT
- Not After : Dec 22 04:45:04 2014 GMT
- Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
- 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
- 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
- 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
- b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
- b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
- b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
- 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
- f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
- 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
- 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
- 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
- c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
- 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
- e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
- 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
- 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
- e9:05
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
- keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
- X509v3 Subject Key Identifier:
- 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22
- Signature Algorithm: sha256WithRSAEncryption
- 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
- 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
- d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
- f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
- f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
- e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
- 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
- 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
- cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
- 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
- 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
- c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
- a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
- 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
- e5:8d:06:73
------BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX
-DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O
-IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ
-JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7
-YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI
-aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F
-SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd
-OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA
-AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw
-FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA
-pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI
-89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN
-+pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE
-UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ
-bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP
-oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz
------END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 6 (0x6)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
- Validity
- Not Before: Dec 23 05:21:16 2009 GMT
- Not After : Dec 22 05:21:16 2014 GMT
+ Not Before: Nov 8 23:39:47 2016 GMT
+ Not After : Nov 6 23:39:47 2026 GMT
Subject: O=ICANN, CN=ICANN EMAIL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -192,33 +112,33 @@ Certificate:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
Signature Algorithm: sha256WithRSAEncryption
- 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
- b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
- 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
- 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
- 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
- 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
- 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
- c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
- 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
- a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
- d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
- 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
- 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
- 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
- ed:42:eb:2f
+ 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
+ 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
+ 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
+ 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
+ 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
+ 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
+ e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
+ b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
+ d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
+ ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
+ 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
+ 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
+ 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
+ e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
+ be:7e:36:be
-----BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX
-DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
+DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
@@ -226,24 +146,24 @@ LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
-ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj
-vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK
-TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7
-06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL
-aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68
-y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57
-dMvE7e1C6y8=
+AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
+ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
+tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
+SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
+lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
+CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
+DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
+SMNGv75+Nr4=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 3 (0x3)
+ Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
- Not Before: Dec 23 05:07:29 2009 GMT
- Not After : Dec 22 05:07:29 2014 GMT
+ Not Before: Nov 8 23:38:16 2016 GMT
+ Not After : Nov 6 23:38:16 2026 GMT
Subject: O=ICANN, CN=ICANN SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -272,33 +192,33 @@ Certificate:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
Signature Algorithm: sha256WithRSAEncryption
- 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
- 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
- 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
- fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
- 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
- 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
- af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
- af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
- bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
- 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
- 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
- fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
- 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
- aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
- 2c:fe:c0:ed
+ 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
+ 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
+ cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
+ 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
+ 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
+ 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
+ fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
+ e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
+ f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
+ c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
+ 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
+ 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
+ 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
+ 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
+ 2d:70:f2:08
-----BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX
-DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
+DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
@@ -306,12 +226,12 @@ nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
-qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ
-TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM
-fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb
-pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS
-uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW
-vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey
-EN0s/sDt
+AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
+qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
+K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
+tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
+Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
+C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
+jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
+T5ktcPII
-----END CERTIFICATE-----
diff --git a/SOURCES/unbound-1.4.20-CVE-2014-8602.patch b/SOURCES/unbound-1.4.20-CVE-2014-8602.patch
deleted file mode 100644
index 9429e84..0000000
--- a/SOURCES/unbound-1.4.20-CVE-2014-8602.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-Index: iterator/iterator.c
-===================================================================
---- iterator/iterator.c (revision 3272)
-+++ iterator/iterator.c (working copy)
-@@ -120,6 +120,7 @@
- iq->query_restart_count = 0;
- iq->referral_count = 0;
- iq->sent_count = 0;
-+ iq->target_count = NULL;
- iq->wait_priming_stub = 0;
- iq->refetch_glue = 0;
- iq->dnssec_expected = 0;
-@@ -453,6 +454,26 @@
- return 1;
- }
-
-+/** create target count structure for this query */
-+static void
-+target_count_create(struct iter_qstate* iq)
-+{
-+ if(!iq->target_count) {
-+ iq->target_count = (int*)calloc(2, sizeof(int));
-+ /* if calloc fails we simply do not track this number */
-+ if(iq->target_count)
-+ iq->target_count[0] = 1;
-+ }
-+}
-+
-+static void
-+target_count_increase(struct iter_qstate* iq, int num)
-+{
-+ target_count_create(iq);
-+ if(iq->target_count)
-+ iq->target_count[1] += num;
-+}
-+
- /**
- * Generate a subrequest.
- * Generate a local request event. Local events are tied to this module, and
-@@ -524,6 +545,10 @@
- subiq = (struct iter_qstate*)subq->minfo[id];
- memset(subiq, 0, sizeof(*subiq));
- subiq->num_target_queries = 0;
-+ target_count_create(iq);
-+ subiq->target_count = iq->target_count;
-+ if(iq->target_count)
-+ iq->target_count[0] ++; /* extra reference */
- subiq->num_current_queries = 0;
- subiq->depth = iq->depth+1;
- outbound_list_init(&subiq->outlist);
-@@ -1350,6 +1375,12 @@
-
- if(iq->depth == ie->max_dependency_depth)
- return 0;
-+ if(iq->depth > 0 && iq->target_count &&
-+ iq->target_count[1] > MAX_TARGET_COUNT) {
-+ verbose(VERB_QUERY, "request has exceeded the maximum "
-+ "number of glue fetches %d", iq->target_count[1]);
-+ return 0;
-+ }
-
- iter_mark_cycle_targets(qstate, iq->dp);
- missing = (int)delegpt_count_missing_targets(iq->dp);
-@@ -1532,6 +1563,7 @@
- return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- }
- iq->num_target_queries += qs;
-+ target_count_increase(iq, qs);
- if(qs != 0) {
- qstate->ext_state[id] = module_wait_subquery;
- return 0; /* and wait for them */
-@@ -1541,6 +1573,12 @@
- verbose(VERB_QUERY, "maxdepth and need more nameservers, fail");
- return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
- }
-+ if(iq->depth > 0 && iq->target_count &&
-+ iq->target_count[1] > MAX_TARGET_COUNT) {
-+ verbose(VERB_QUERY, "request has exceeded the maximum "
-+ "number of glue fetches %d", iq->target_count[1]);
-+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
-+ }
- /* mark cycle targets for parent-side lookups */
- iter_mark_pside_cycle_targets(qstate, iq->dp);
- /* see if we can issue queries to get nameserver addresses */
-@@ -1570,6 +1608,7 @@
- if(query_count != 0) { /* suspend to await results */
- verbose(VERB_ALGO, "try parent-side glue lookup");
- iq->num_target_queries += query_count;
-+ target_count_increase(iq, query_count);
- qstate->ext_state[id] = module_wait_subquery;
- return 0;
- }
-@@ -1725,6 +1764,7 @@
- return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- }
- iq->num_target_queries += extra;
-+ target_count_increase(iq, extra);
- if(iq->num_target_queries > 0) {
- /* wait to get all targets, we want to try em */
- verbose(VERB_ALGO, "wait for all targets for fallback");
-@@ -1765,6 +1805,7 @@
- /* errors ignored, these targets are not strictly necessary for
- * this result, we do not have to reply with SERVFAIL */
- iq->num_target_queries += extra;
-+ target_count_increase(iq, extra);
- }
-
- /* Add the current set of unused targets to our queue. */
-@@ -1810,6 +1851,7 @@
- return 1;
- }
- iq->num_target_queries += qs;
-+ target_count_increase(iq, qs);
- }
- /* Since a target query might have been made, we
- * need to check again. */
-@@ -2921,6 +2963,8 @@
- iq = (struct iter_qstate*)qstate->minfo[id];
- if(iq) {
- outbound_list_clear(&iq->outlist);
-+ if(iq->target_count && --iq->target_count[0] == 0)
-+ free(iq->target_count);
- iq->num_current_queries = 0;
- }
- qstate->minfo[id] = NULL;
-Index: iterator/iterator.h
-===================================================================
---- iterator/iterator.h (revision 3272)
-+++ iterator/iterator.h (working copy)
-@@ -52,6 +52,8 @@
- struct iter_prep_list;
- struct iter_priv;
-
-+/** max number of targets spawned for a query and its subqueries */
-+#define MAX_TARGET_COUNT 32
- /** max number of query restarts. Determines max number of CNAME chain. */
- #define MAX_RESTART_COUNT 8
- /** max number of referrals. Makes sure resolver does not run away */
-@@ -251,6 +253,10 @@
-
- /** number of queries fired off */
- int sent_count;
-+
-+ /** number of target queries spawned in [1], for this query and its
-+ * subqueries, the malloced-array is shared, [0] refcount. */
-+ int* target_count;
-
- /**
- * The query must store NS records from referrals as parentside RRs
diff --git a/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch b/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch
deleted file mode 100644
index 6ec4725..0000000
--- a/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch
+++ /dev/null
@@ -1,312 +0,0 @@
-From e1132a3a41d2ff5a9479bbb629d73db4856a5f34 Mon Sep 17 00:00:00 2001
-From: Tomas Hozza <thozza@redhat.com>
-Date: Tue, 11 Oct 2016 15:38:58 +0200
-Subject: [PATCH] Add cache-max-negative-ttl option
-
-https://github.com/thozza/unbound/commit/0ef133ea5819fbf7518de9c8492c5e05c95ac8ce
-
-git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@3431 be551aaa-1e26-0410-a405-d3ace91eadb9
-Signed-off-by: Tomas Hozza <thozza@redhat.com>
----
- doc/example.conf.in | 3 +++
- doc/unbound-control.8.in | 2 +-
- doc/unbound.conf.5.in | 4 ++++
- testcode/unitmsgparse.c | 3 +++
- testdata/iter_domain_sale.rpl | 3 ++-
- testdata/iter_domain_sale_nschange.rpl | 6 ++++--
- util/config_file.c | 5 +++++
- util/config_file.h | 2 ++
- util/configlexer.lex | 1 +
- util/configparser.y | 12 +++++++++++-
- util/data/msgparse.h | 2 ++
- util/data/msgreply.c | 29 ++++++++++++++++++++++++++---
- 12 files changed, 64 insertions(+), 8 deletions(-)
-
-diff --git a/doc/example.conf.in b/doc/example.conf.in
-index aa9a7f7..52cad67 100644
---- a/doc/example.conf.in
-+++ b/doc/example.conf.in
-@@ -125,6 +125,9 @@ server:
- # cache. Items are not cached for longer. In seconds.
- # cache-max-ttl: 86400
-
-+ # the time to live (TTL) value cap for negative responses in the cache
-+ # cache-max-negative-ttl: 3600
-+
- # the time to live (TTL) value for cached roundtrip times, lameness and
- # EDNS version information for hosts. In seconds.
- # infra-host-ttl: 900
-diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
-index 669e81d..f2c76eb 100644
---- a/doc/unbound-control.8.in
-+++ b/doc/unbound-control.8.in
-@@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain,
- harden\-referral\-path, prefetch, prefetch\-key, log\-queries,
- hide\-identity, hide\-version, identity, version, val\-log\-level,
- val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown,
--keep\-missing, tcp\-upstream, ssl\-upstream.
-+keep\-missing, tcp\-upstream, ssl\-upstream, cache\-max\-negative\-ttl.
- .TP
- .B get_option \fIopt
- Get the value of the option. Give the option name without a trailing ':'.
-diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-index 6dd0216..7485345 100644
---- a/doc/unbound.conf.5.in
-+++ b/doc/unbound.conf.5.in
-@@ -267,6 +267,10 @@ Zero makes sure the data in the cache is as the domain owner intended,
- higher values, especially more than an hour or so, can lead to trouble as
- the data in the cache does not match up with the actual data any more.
- .TP
-+.B cache\-max\-negative\-ttl: \fI<seconds>
-+Time to live maximum for negative responses, these have a SOA in the
-+authority section that is limited in time. Default is 3600.
-+.TP
- .B infra\-host\-ttl: \fI<seconds>
- Time to live for entries in the host cache. The host cache contains
- roundtrip timing, lameness and EDNS support information. Default is 900.
-diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c
-index 4342395..08f3b50 100644
---- a/testcode/unitmsgparse.c
-+++ b/testcode/unitmsgparse.c
-@@ -582,9 +582,11 @@ testfromdrillfile(ldns_buffer* pkt, struct alloc_cache* alloc,
-
- void msgparse_test(void)
- {
-+ uint32_t origttl = MAX_NEG_TTL;
- ldns_buffer* pkt = ldns_buffer_new(65553);
- ldns_buffer* out = ldns_buffer_new(65553);
- struct alloc_cache super_a, alloc;
-+ MAX_NEG_TTL = 86400;
- /* init */
- alloc_init(&super_a, NULL, 0);
- alloc_init(&alloc, &super_a, 2);
-@@ -621,4 +623,5 @@ void msgparse_test(void)
- alloc_clear(&super_a);
- ldns_buffer_free(pkt);
- ldns_buffer_free(out);
-+ MAX_NEG_TTL = origttl;
- }
-diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
-index 724b51d..ff61278 100644
---- a/testdata/iter_domain_sale.rpl
-+++ b/testdata/iter_domain_sale.rpl
-@@ -238,7 +238,8 @@ SECTION QUESTION
- nx1.example.com. IN A
- SECTION ANSWER
- SECTION AUTHORITY
--example.com. 3600 IN SOA a. b. 1 2 3 4 5
-+; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA
-+example.com. 5 IN SOA a. b. 1 2 3 4 5
- example.com. 1800 IN NS ns.example.com.
- SECTION ADDITIONAL
- ns.example.com. 1800 IN A 1.2.3.4
-diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
-index a7d9f11..bc396f6 100644
---- a/testdata/iter_domain_sale_nschange.rpl
-+++ b/testdata/iter_domain_sale_nschange.rpl
-@@ -285,7 +285,8 @@ SECTION QUESTION
- nx1.example.com. IN A
- SECTION ANSWER
- SECTION AUTHORITY
--example.com. 3600 IN SOA a. b. 1 2 3 4 5
-+; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
-+example.com. 5 IN SOA a. b. 1 2 3 4 5
- example.com. 3600 IN NS nsb.example.com.
- SECTION ADDITIONAL
- nsb.example.com. 3600 IN A 1.2.3.4
-@@ -306,7 +307,8 @@ SECTION QUESTION
- nx1.example.com. IN A
- SECTION ANSWER
- SECTION AUTHORITY
--example.com. 3600 IN SOA a. b. 1 2 3 4 5
-+; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA.
-+example.com. 5 IN SOA a. b. 1 2 3 4 5
- example.com. 1800 IN NS nsb.example.com.
- SECTION ADDITIONAL
- nsb.example.com. 3600 IN A 1.2.3.4
-diff --git a/util/config_file.c b/util/config_file.c
-index b946f0d..4e0fbe7 100644
---- a/util/config_file.c
-+++ b/util/config_file.c
-@@ -128,6 +128,7 @@ config_create(void)
- cfg->bogus_ttl = 60;
- cfg->min_ttl = 0;
- cfg->max_ttl = 3600 * 24;
-+ cfg->max_negative_ttl = 3600;
- cfg->prefetch = 0;
- cfg->prefetch_key = 0;
- cfg->infra_cache_slabs = 4;
-@@ -359,6 +360,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
- else S_YNO("prefetch:", prefetch)
- else S_YNO("prefetch-key:", prefetch_key)
- else S_NUMBER_OR_ZERO("cache-max-ttl:", max_ttl)
-+ else if(strcmp(opt, "cache-max-negative-ttl:") == 0)
-+ { IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=cfg->max_negative_ttl;}
- else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl)
- else S_POW2("infra-cache-slabs:", infra_cache_slabs)
- else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
-@@ -593,6 +596,7 @@ config_get_option(struct config_file* cfg, const char* opt,
- else O_YNO(opt, "prefetch-key", prefetch_key)
- else O_YNO(opt, "prefetch", prefetch)
- else O_DEC(opt, "cache-max-ttl", max_ttl)
-+ else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl)
- else O_DEC(opt, "infra-host-ttl", host_ttl)
- else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs)
- else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
-@@ -1149,6 +1153,7 @@ config_apply(struct config_file* config)
- {
- MAX_TTL = (uint32_t)config->max_ttl;
- MIN_TTL = (uint32_t)config->min_ttl;
-+ MAX_NEG_TTL = (uint32_t)config->max_negative_ttl;
- EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size;
- MINIMAL_RESPONSES = config->minimal_responses;
- RRSET_ROUNDROBIN = config->rrset_roundrobin;
-diff --git a/util/config_file.h b/util/config_file.h
-index 69595cb..4d493b8 100644
---- a/util/config_file.h
-+++ b/util/config_file.h
-@@ -179,6 +179,8 @@ struct config_file {
- int max_ttl;
- /** the number of seconds minimum TTL used for RRsets and messages */
- int min_ttl;
-+ /** the number of seconds maximal negative TTL for SOA in auth */
-+ int max_negative_ttl;
- /** if prefetching of messages should be performed. */
- int prefetch;
- /** if prefetching of DNSKEYs should be performed. */
-diff --git a/util/configlexer.lex b/util/configlexer.lex
-index 4694cdd..079f195 100644
---- a/util/configlexer.lex
-+++ b/util/configlexer.lex
-@@ -208,6 +208,7 @@ msg-cache-slabs{COLON} { YDVAR(1, VAR_MSG_CACHE_SLABS) }
- rrset-cache-size{COLON} { YDVAR(1, VAR_RRSET_CACHE_SIZE) }
- rrset-cache-slabs{COLON} { YDVAR(1, VAR_RRSET_CACHE_SLABS) }
- cache-max-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_TTL) }
-+cache-max-negative-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) }
- cache-min-ttl{COLON} { YDVAR(1, VAR_CACHE_MIN_TTL) }
- infra-host-ttl{COLON} { YDVAR(1, VAR_INFRA_HOST_TTL) }
- infra-lame-ttl{COLON} { YDVAR(1, VAR_INFRA_LAME_TTL) }
-diff --git a/util/configparser.y b/util/configparser.y
-index 0dbee2b..7d7147d 100644
---- a/util/configparser.y
-+++ b/util/configparser.y
-@@ -105,6 +105,7 @@ extern struct config_parser_state* cfg_parser;
- %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
- %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
- %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
-+%token VAR_CACHE_MAX_NEGATIVE_TTL
-
- %%
- toplevelvars: /* empty */ | toplevelvars toplevelvar ;
-@@ -161,7 +162,7 @@ content_server: server_num_threads | server_verbosity | server_port |
- server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
- server_log_queries | server_tcp_upstream | server_ssl_upstream |
- server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
-- server_minimal_responses | server_rrset_roundrobin
-+ server_minimal_responses | server_rrset_roundrobin | server_cache_max_negative_ttl
- ;
- stubstart: VAR_STUB_ZONE
- {
-@@ -934,6 +935,15 @@ server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG
- free($2);
- }
- ;
-+server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG
-+ {
-+ OUTYY(("P(server_cache_max_negative_ttl:%s)\n", $2));
-+ if(atoi($2) == 0 && strcmp($2, "0") != 0)
-+ yyerror("number expected");
-+ else cfg_parser->cfg->max_negative_ttl = atoi($2);
-+ free($2);
-+ }
-+ ;
- server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG
- {
- OUTYY(("P(server_cache_min_ttl:%s)\n", $2));
-diff --git a/util/data/msgparse.h b/util/data/msgparse.h
-index 830d68e..825d368 100644
---- a/util/data/msgparse.h
-+++ b/util/data/msgparse.h
-@@ -74,6 +74,8 @@ struct regional;
- extern uint32_t MAX_TTL;
- /** Minimum TTL that is allowed. */
- extern uint32_t MIN_TTL;
-+/** Maximum Negative TTL that is allowed */
-+extern uint32_t MAX_NEG_TTL;
- /** Negative cache time (for entries without any RRs.) */
- #define NORR_TTL 5 /* seconds */
-
-diff --git a/util/data/msgreply.c b/util/data/msgreply.c
-index 6d711ff..dce724d 100644
---- a/util/data/msgreply.c
-+++ b/util/data/msgreply.c
-@@ -56,6 +56,8 @@
- uint32_t MAX_TTL = 3600 * 24 * 10; /* ten days */
- /** MIN TTL default for messages and rrsets */
- uint32_t MIN_TTL = 0;
-+/** MAX Negative TTL, for SOA records in authority section */
-+uint32_t MAX_NEG_TTL = 3600; /* one hour */
-
- /** allocate qinfo, return 0 on error */
- static int
-@@ -151,10 +153,23 @@ repinfo_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc,
- return 1;
- }
-
-+/** find the minimumttl in the rdata of SOA record */
-+static uint32_t
-+soa_find_minttl(struct rr_parse* rr)
-+{
-+ uint16_t rlen = ldns_read_uint16(rr->ttl_data+4);
-+ if(rlen < 20)
-+ return 0; /* rdata too small for SOA (dname, dname, 5*32bit) */
-+ /* minimum TTL is the last 32bit value in the rdata of the record */
-+ /* at position ttl_data + 4(ttl) + 2(rdatalen) + rdatalen - 4(timeval)*/
-+ return ldns_read_uint32(rr->ttl_data+6+rlen-4);
-+}
-+
- /** do the rdata copy */
- static int
- rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
-- struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type)
-+ struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type,
-+ ldns_pkt_section section)
- {
- uint16_t pkt_len;
- const ldns_rr_descriptor* desc;
-@@ -163,6 +178,14 @@ rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to,
- /* RFC 2181 Section 8. if msb of ttl is set treat as if zero. */
- if(*rr_ttl & 0x80000000U)
- *rr_ttl = 0;
-+ if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) {
-+ /* negative response. see if TTL of SOA record larger than the
-+ * minimum-ttl in the rdata of the SOA record */
-+ if(*rr_ttl > soa_find_minttl(rr))
-+ *rr_ttl = soa_find_minttl(rr);
-+ if(*rr_ttl > MAX_NEG_TTL)
-+ *rr_ttl = MAX_NEG_TTL;
-+ }
- if(*rr_ttl < MIN_TTL)
- *rr_ttl = MIN_TTL;
- if(*rr_ttl < data->ttl)
-@@ -252,7 +275,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
- data->rr_data[i] = nextrdata;
- nextrdata += rr->size;
- if(!rdata_copy(pkt, data, data->rr_data[i], rr,
-- &data->rr_ttl[i], pset->type))
-+ &data->rr_ttl[i], pset->type, pset->section))
- return 0;
- rr = rr->next;
- }
-@@ -263,7 +286,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset,
- data->rr_data[i] = nextrdata;
- nextrdata += rr->size;
- if(!rdata_copy(pkt, data, data->rr_data[i], rr,
-- &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG))
-+ &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG, pset->section))
- return 0;
- rr = rr->next;
- }
---
-2.7.4
-
diff --git a/SOURCES/unbound-1.4.20-coverity_scan.patch b/SOURCES/unbound-1.4.20-coverity_scan.patch
deleted file mode 100644
index ea68763..0000000
--- a/SOURCES/unbound-1.4.20-coverity_scan.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From de7c59d25d9fd2464543d649951b2ae47c2a839b Mon Sep 17 00:00:00 2001
-From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
-Date: Wed, 21 Aug 2013 13:31:09 +0000
-Subject: [PATCH] - Fix#520: Errors found by static analysis from Tomas
- Hozza(redhat).
-
-git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@2942 be551aaa-1e26-0410-a405-d3ace91eadb9
-Signed-off-by: Tomas Hozza <thozza@redhat.com>
----
- libunbound/libworker.c | 3 +++
- testcode/streamtcp.c | 2 +-
- util/tube.c | 2 +-
- validator/autotrust.c | 6 +++++-
- 4 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/libunbound/libworker.c b/libunbound/libworker.c
-index dd3316d..8f2aa48 100644
---- a/libunbound/libworker.c
-+++ b/libunbound/libworker.c
-@@ -198,7 +198,10 @@ libworker_setup(struct ub_ctx* ctx, int is_bg)
- }
- numports = cfg_condense_ports(cfg, &ports);
- if(numports == 0) {
-+ int locked = !w->is_bg || w->is_bg_thread;
- libworker_delete(w);
-+ if(locked)
-+ lock_basic_unlock(&ctx->cfglock);
- return NULL;
- }
- w->back = outside_network_create(w->base, cfg->msg_buffer_size,
-diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c
-index dbdf140..06a18e4 100644
---- a/testcode/streamtcp.c
-+++ b/testcode/streamtcp.c
-@@ -121,9 +121,9 @@ write_q(int fd, int udp, SSL* ssl, ldns_buffer* buf, uint16_t id,
- exit(1);
- }
- qinfo.qname = memdup(ldns_rdf_data(rdf), ldns_rdf_size(rdf));
-+ if(!qinfo.qname) fatal_exit("out of memory");
- (void)dname_count_size_labels(qinfo.qname, &qinfo.qname_len);
- ldns_rdf_deep_free(rdf);
-- if(!qinfo.qname) fatal_exit("out of memory");
-
- /* qtype and qclass */
- qinfo.qtype = ldns_get_rr_type_by_name(strtype);
-diff --git a/util/tube.c b/util/tube.c
-index 28c51d7..fde8496 100644
---- a/util/tube.c
-+++ b/util/tube.c
-@@ -368,7 +368,7 @@ int tube_read_msg(struct tube* tube, uint8_t** buf, uint32_t* len,
- return 0;
- }
- d = 0;
-- while(d != (ssize_t)*len) {
-+ while(d < (ssize_t)*len) {
- if((r=read(fd, (*buf)+d, (size_t)((ssize_t)*len)-d)) == -1) {
- log_err("tube msg read failed: %s", strerror(errno));
- (void)fd_set_nonblock(fd);
-diff --git a/validator/autotrust.c b/validator/autotrust.c
-index 1e24b4c..dc7cbf6 100644
---- a/validator/autotrust.c
-+++ b/validator/autotrust.c
-@@ -976,9 +976,13 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp)
- char* fname = tp->autr->file;
- char tempf[2048];
- log_assert(tp->autr);
-+ if(!env) {
-+ log_err("autr_write_file: Module environment is NULL.");
-+ return;
-+ }
- /* unique name with pid number and thread number */
- snprintf(tempf, sizeof(tempf), "%s.%d-%d", fname, (int)getpid(),
-- env&&env->worker?*(int*)env->worker:0);
-+ env->worker?*(int*)env->worker:0);
- verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf);
- out = fopen(tempf, "w");
- if(!out) {
---
-1.8.3.1
-
diff --git a/SOURCES/unbound-1.4.20-longcheck-fixup.patch b/SOURCES/unbound-1.4.20-longcheck-fixup.patch
deleted file mode 100644
index 1ba0808..0000000
--- a/SOURCES/unbound-1.4.20-longcheck-fixup.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh
-index 84d2ef5..b44dd77 100755
---- a/testcode/do-tests.sh
-+++ b/testcode/do-tests.sh
-@@ -1,6 +1,10 @@
- #!/usr/bin/env bash
- . testdata/common.sh
-
-+# make sure that the binaries used during tests can find the libraries compiled with them
-+LD_LIBRARY_PATH_BAK="$LD_LIBRARY_PATH"
-+export LD_LIBRARY_PATH="$(pwd)/.libs"
-+
- NEED_SPLINT='00-lint.tpkg'
- NEED_DOXYGEN='01-doc.tpkg'
- NEED_XXD='fwd_compress_c00c.tpkg fwd_zero.tpkg'
-@@ -10,6 +14,23 @@ NEED_WHOAMI='07-confroot.tpkg'
- NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg'
- NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg'
-
-+# 01-doc - checks for errors and warnings and there are warnings due to obsolted keywords
-+# in the doxygen documentation. Not a big deal, therefore skipping this.
-+#
-+# 06-ianaports - This checks if the bundled copy is up to date, which is obviously not
-+# as the version we are shipping is old version
-+#
-+# root_anchor - This fails because the pem file has been updated and re are shipping an
-+# old copy of it.
-+#
-+# root_hints - This fails because addresses of root servers changed and we are shipping
-+# an old copy of it. This is not an issue as all servers usually do priming on startup
-+#
-+# fwd_compress_c00c - The test fails because the HEX output contains one more zero on each
-+# line at the beginning of the address from which the data is dumped. Nevertheless the data
-+# are correct and match.
-+ALWAYS_SKIP='01-doc.tpkg 06-ianaports.tpkg root_anchor.tpkg root_hints.tpkg fwd_compress_c00c.tpkg'
-+
- # test if dig and ldns-testns are available.
- test_tool_avail "dig"
- test_tool_avail "ldns-testns"
-@@ -50,6 +71,11 @@ for test in `ls *.tpkg`; do
- SKIP=1;
- fi
- fi
-+
-+ if echo $ALWAYS_SKIP | grep $test >/dev/null; then
-+ SKIP=1;
-+ fi
-+
- if test $SKIP -eq 0; then
- echo $test
- sh ../testcode/mini_tpkg.sh -a ../.. exe $test
-@@ -57,5 +83,21 @@ for test in `ls *.tpkg`; do
- echo "skip $test"
- fi
- done
--sh ../testcode/mini_tpkg.sh report
-+sh ../testcode/mini_tpkg.sh report > .report.txt
-+cat .report.txt
-+
-+# Make sure the test suite fails when some test failed
-+if cat .report.txt | grep "FAILED" >/dev/null; then
-+ echo "Some tests FAILED!!!"
-+ RESULTS=1
-+else
-+ echo "All tests PASSED"
-+ RESULTS=0
-+fi
-+rm -f .report.txt
- cat .perfstats.txt
-+
-+# restore LD_LIBRARY_PATH
-+export LD_LIBRARY_PATH=$LD_LIBRARY_PATH_BAK
-+
-+exit $RESULTS
diff --git a/SOURCES/unbound-1.4.20-roundrobin.patch b/SOURCES/unbound-1.4.20-roundrobin.patch
deleted file mode 100644
index dcd4ebc..0000000
--- a/SOURCES/unbound-1.4.20-roundrobin.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -Naur unbound-1.4.20-orig/util/data/msgencode.c unbound-1.4.20/util/data/msgencode.c
---- unbound-1.4.20-orig/util/data/msgencode.c 2012-04-10 05:16:39.000000000 -0400
-+++ unbound-1.4.20/util/data/msgencode.c 2013-05-21 15:47:01.435609420 -0400
-@@ -659,7 +659,7 @@
- }
- }
- /* roundrobin offset. using query id for random number */
-- rr_offset = RRSET_ROUNDROBIN?id:0;
-+ rr_offset = RRSET_ROUNDROBIN ? ntohs(id) : 0;
-
- /* insert answer section */
- if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
diff --git a/SOURCES/unbound-1.4.20-streamtcp-manpage.patch b/SOURCES/unbound-1.4.20-streamtcp-manpage.patch
deleted file mode 100644
index 888c706..0000000
--- a/SOURCES/unbound-1.4.20-streamtcp-manpage.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 2af92efb1f128ef43313e890182ff23e94276dca Mon Sep 17 00:00:00 2001
-From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
-Date: Fri, 19 Jul 2013 10:46:16 +0000
-Subject: [PATCH] - streamtcp man page, contributed by Tomas Hozza.
-
-git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@2924 be551aaa-1e26-0410-a405-d3ace91eadb9
----
- testcode/streamtcp.1 | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 files changed, 66 insertions(+)
- create mode 100644 testcode/streamtcp.1
-
-diff --git a/testcode/streamtcp.1 b/testcode/streamtcp.1
-new file mode 100644
-index 0000000..7c738d9
---- /dev/null
-+++ b/testcode/streamtcp.1
-@@ -0,0 +1,66 @@
-+.TH "unbound\-streamtcp" "1" "Mar 21, 2013" "NLnet Labs" "unbound"
-+.\"
-+.\" unbound-streamtcp.1 -- unbound DNS lookup utility
-+.\"
-+.SH "NAME"
-+.LP
-+.B unbound\-streamtcp
-+\- unbound DNS lookup utility
-+.SH "SYNOPSIS"
-+.LP
-+.B unbound\-streamtcp
-+.RB [ \-unsh ]
-+.RB [ \-f
-+.IR ipaddr[@port] ]
-+.I name
-+.I type
-+.I class
-+.SH "DESCRIPTION"
-+.LP
-+.B unbound\-streamtcp
-+sends a DNS Query of the given \fBtype\fR and \fBclass\fR for the given \fBname\fR
-+to the DNS server over TCP and displays the response.
-+.P
-+If the server to query is not given using the \fB\-f\fR option then localhost
-+(127.0.0.1) is used. More queries can be given on one commandline, they
-+are resolved in sequence.
-+.P
-+The available options are:
-+.TP
-+.I name
-+This name is resolved (looked up in the DNS).
-+.TP
-+.I type
-+Specify the type of data to lookup.
-+.TP
-+.I class
-+Specify the class to lookup for.
-+.TP
-+.B \-u
-+Use UDP instead of TCP. No retries are attempted.
-+.TP
-+.B \-n
-+Do not wait for the answer.
-+.TP
-+.B \-s
-+Use SSL.
-+.TP
-+.B \-h
-+Print program usage.
-+.TP
-+.B \-f \fIipaddr[@port]
-+Specify the server to send the queries to. If not specified localhost (127.0.0.1) is used.
-+.SH "EXAMPLES"
-+.LP
-+Some examples of use.
-+.P
-+$ unbound\-streamtcp www.example.com A IN
-+.P
-+$ unbound\-streamtcp \-f 192.168.1.1 www.example.com SOA IN
-+.P
-+$ unbound\-streamtcp \-f 192.168.1.1@1234 153.1.168.192.in\-addr.arpa. PTR IN
-+.SH "EXIT CODE"
-+The unbound\-streamtcp program exits with status code 1 on error,
-+0 on no error.
-+.SH "AUTHOR"
-+This manual page was written by Tomas Hozza <thozza@redhat.com>.
---
-1.8.3.1
-
diff --git a/SOURCES/unbound-1.4.20-trust-anchor.patch b/SOURCES/unbound-1.4.20-trust-anchor.patch
deleted file mode 100644
index 0d019d9..0000000
--- a/SOURCES/unbound-1.4.20-trust-anchor.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
-index ef0031c..c622f24 100644
---- a/smallapp/unbound-anchor.c
-+++ b/smallapp/unbound-anchor.c
-@@ -239,7 +239,10 @@ static const char*
- get_builtin_ds(void)
- {
- return
--". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
-+/* anchor 19036 is from 2010 */
-+/* anchor 20326 is from 2017 */
-+". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
-+". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
- }
-
- /** print hex data */
diff --git a/SOURCES/unbound-1.6.3-coverity.patch b/SOURCES/unbound-1.6.3-coverity.patch
new file mode 100644
index 0000000..bab7a68
--- /dev/null
+++ b/SOURCES/unbound-1.6.3-coverity.patch
@@ -0,0 +1,92 @@
+diff --git a/compat/arc4_lock.c b/compat/arc4_lock.c
+index 0c45ad0..7fb9cdc 100644
+--- a/compat/arc4_lock.c
++++ b/compat/arc4_lock.c
+@@ -32,7 +32,7 @@
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+ #include "config.h"
+-#define LOCKRET(func) func
++#define LOCKRET(func) (void)func
+ #include "util/locks.h"
+
+ void _ARC4_LOCK(void);
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 243d94c..a377aca 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -371,7 +371,9 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
+ (unsigned)cfg_uid, (unsigned)cfg_gid,
+ ip, strerror(errno));
+ }
+- chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP));
++ if (chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)) == -1)
++ verbose(VERB_QUERY, "cannot chmod %s: %s",
++ ip, strerror(errno));
+ #else
+ (void)cfg;
+ #endif
+@@ -387,7 +389,7 @@ add_open(const char* ip, int nr, struct listen_port** list, int noproto_is_err,
+ }
+ #endif /* USE_WINSOCK */
+ log_err("control interface %s:%s getaddrinfo: %s %s",
+- ip?ip:"default", port, gai_strerror(r),
++ ip, port, gai_strerror(r),
+ #ifdef EAI_SYSTEM
+ r==EAI_SYSTEM?(char*)strerror(errno):""
+ #else
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index 1bee85c..6bdfe41 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -437,7 +437,6 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ rrset->rrset_all_next =
+ nx->rrset_all_next;
+ nx->rrset_all_next = rrset;
+- prev = nx;
+ }
+ }
+
+diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
+index 3b53676..36c67c6 100644
+--- a/services/listen_dnsport.c
++++ b/services/listen_dnsport.c
+@@ -1072,11 +1072,11 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
+ {
+ int s, noip6=0;
+ #ifdef USE_DNSCRYPT
+- int is_dnscrypt = ((strchr(ifname, '@') &&
++ const int is_dnscrypt = ((strchr(ifname, '@') &&
+ atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
+ (!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
+ #else
+- int is_dnscrypt = 0;
++ const int is_dnscrypt = 0;
+ (void)dnscrypt_port;
+ #endif
+
+diff --git a/services/localzone.c b/services/localzone.c
+index 6bde432..00d044a 100644
+--- a/services/localzone.c
++++ b/services/localzone.c
+@@ -1079,7 +1079,7 @@ local_zones_tags_lookup(struct local_zones* zones,
+ key.name = name;
+ key.namelen = len;
+ key.namelabs = labs;
+- rbtree_find_less_equal(&zones->ztree, &key, &res);
++ (void)rbtree_find_less_equal(&zones->ztree, &key, &res);
+ result = (struct local_zone*)res;
+ /* exact or smaller element (or no element) */
+ if(!result || result->dclass != dclass)
+diff --git a/smallapp/unbound-host.c b/smallapp/unbound-host.c
+index d7a36a2..68f789a 100644
+--- a/smallapp/unbound-host.c
++++ b/smallapp/unbound-host.c
+@@ -330,6 +330,7 @@ pretty_output(char* q, int t, int c, struct ub_result* result, int docname)
+ exit(1);
+ }
+ printf("%s\n", s);
++ free(s);
+ } else printf(" has no %s record", tstr);
+ printf(" %s\n", secstatus);
+ }
diff --git a/SOURCES/unbound-1.6.3-longcheck-fixup.patch b/SOURCES/unbound-1.6.3-longcheck-fixup.patch
new file mode 100644
index 0000000..8e63a3e
--- /dev/null
+++ b/SOURCES/unbound-1.6.3-longcheck-fixup.patch
@@ -0,0 +1,71 @@
+diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh
+index 5439f0f..1e9a424 100755
+--- a/testcode/do-tests.sh
++++ b/testcode/do-tests.sh
+@@ -1,6 +1,10 @@
+ #!/usr/bin/env bash
+ . testdata/common.sh
+
++# make sure that the binaries used during tests can find the libraries compiled with them
++LD_LIBRARY_PATH_BAK="$LD_LIBRARY_PATH"
++export LD_LIBRARY_PATH="$(pwd)/.libs"
++
+ NEED_SPLINT='00-lint.tdir'
+ NEED_DOXYGEN='01-doc.tdir'
+ NEED_XXD='fwd_compress_c00c.tdir fwd_zero.tdir'
+@@ -11,6 +15,20 @@ NEED_IPV6='fwd_ancil.tdir fwd_tcp_tc6.tdir stub_udp6.tdir edns_cache.tdir'
+ NEED_NOMINGW='tcp_sigpipe.tdir 07-confroot.tdir 08-host-lib.tdir fwd_ancil.tdir'
+ NEED_DNSCRYPT_PROXY='dnscrypt_queries.tdir dnscrypt_queries_chacha.tdir'
+
++# 01-doc - checks for errors and warnings and there are warnings due to obsolted keywords
++# in the doxygen documentation. Not a big deal, therefore skipping this.
++#
++# 06-ianaports - This checks if the bundled copy is up to date, which is obviously not
++# as the version we are shipping is old version
++#
++# root_anchor - This fails because the pem file has been updated and re are shipping an
++# old copy of it.
++#
++# root_hints - This fails because addresses of root servers changed and we are shipping
++# an old copy of it. This is not an issue as all servers usually do priming on startup
++#
++ALWAYS_SKIP='01-doc.tdir 06-ianaports.tdir root_anchor.tdir root_hints.tdir'
++
+ # test if dig and ldns-testns are available.
+ test_tool_avail "dig"
+ test_tool_avail "ldns-testns"
+@@ -52,6 +70,11 @@ for test in `ls -d *.tdir`; do
+ SKIP=1;
+ fi
+ fi
++
++ if echo $ALWAYS_SKIP | grep $test >/dev/null; then
++ SKIP=1;
++ fi
++
+ if test $SKIP -eq 0; then
+ echo $test
+ sh ../testcode/mini_tdir.sh -a ../.. exe $test
+@@ -59,5 +82,21 @@ for test in `ls -d *.tdir`; do
+ echo "skip $test"
+ fi
+ done
+-sh ../testcode/mini_tdir.sh report
++sh ../testcode/mini_tdir.sh report > .report.txt
++cat .report.txt
++
++# Make sure the test suite fails when some test failed
++if grep "FAILED" .report.txt >/dev/null; then
++ echo "Some tests FAILED!!!"
++ RESULTS=1
++else
++ echo "All tests PASSED"
++ RESULTS=0
++fi
++rm -f .report.txt
+ cat .perfstats.txt
++
++# restore LD_LIBRARY_PATH
++export LD_LIBRARY_PATH=$LD_LIBRARY_PATH_BAK
++
++exit $RESULTS
diff --git a/SOURCES/unbound-1.6.3-print-test-fails.patch b/SOURCES/unbound-1.6.3-print-test-fails.patch
new file mode 100644
index 0000000..367dc5f
--- /dev/null
+++ b/SOURCES/unbound-1.6.3-print-test-fails.patch
@@ -0,0 +1,17 @@
+diff --git a/testcode/mini_tpkg.sh b/testcode/mini_tpkg.sh
+index ebf27a7..d0a66aa 100755
+--- a/testcode/mini_tpkg.sh
++++ b/testcode/mini_tpkg.sh
+@@ -116,6 +116,12 @@ if test -f $name.post; then
+ fi
+ echo "DateRunEnd: "`date "+%s" 2>/dev/null` >> $result
+
++if test "$success" = "no"; then
++ echo "## Start of $name"
++ cat $result
++ echo "## End of $name"
++fi
++
+ mv $result ..
+ cd ..
+ rm -rf $dir
diff --git a/SOURCES/unbound-1.6.6-test-fwd_oneport.patch b/SOURCES/unbound-1.6.6-test-fwd_oneport.patch
new file mode 100644
index 0000000..582790b
--- /dev/null
+++ b/SOURCES/unbound-1.6.6-test-fwd_oneport.patch
@@ -0,0 +1,56 @@
+From f41fcb93de47ddf2ec5063be1df29e99cafc61c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Wed, 11 Oct 2017 23:04:50 +0200
+Subject: [PATCH 1/2] Do not fail if two tests run on the same machine.
+ Randomize outgoing port too.
+
+---
+ testdata/fwd_oneport.tdir/fwd_oneport.conf | 2 +-
+ testdata/fwd_oneport.tdir/fwd_oneport.pre | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.conf b/testdata/fwd_oneport.tdir/fwd_oneport.conf
+index f3427fe..76cade4 100644
+--- a/testdata/fwd_oneport.tdir/fwd_oneport.conf
++++ b/testdata/fwd_oneport.tdir/fwd_oneport.conf
+@@ -5,7 +5,7 @@ server:
+ port: @PORT@
+ outgoing-range: 2
+ outgoing-port-avoid: 0-65535
+- outgoing-port-permit: 20675
++ outgoing-port-permit: @OUTPORT@
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+diff --git a/testdata/fwd_oneport.tdir/fwd_oneport.pre b/testdata/fwd_oneport.tdir/fwd_oneport.pre
+index eeb5238..256d8dc 100644
+--- a/testdata/fwd_oneport.tdir/fwd_oneport.pre
++++ b/testdata/fwd_oneport.tdir/fwd_oneport.pre
+@@ -5,11 +5,13 @@
+ [ -f .tpkg.var.test ] && source .tpkg.var.test
+
+ . ../common.sh
+-get_random_port 2
++get_random_port 3
+ UNBOUND_PORT=$RND_PORT
+ FWD_PORT=$(($RND_PORT + 1))
++OUT_PORT=$(($RND_PORT + 2))
+ echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+ echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
++echo "OUT_PORT=$OUT_PORT" >> .tpkg.var.test
+
+ # start forwarder
+ get_ldns_testns
+@@ -18,7 +20,8 @@ FWD_PID=$!
+ echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+ # make config file
+-sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_oneport.conf > ub.conf
++sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@OUTPORT\@/'$OUT_PORT'/' < fwd_oneport.conf > ub.conf
++
+ # start unbound in the background
+ PRE="../.."
+ $PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+--
+2.9.5
+
diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf
index 26cb47e..d62a38b 100644
--- a/SOURCES/unbound.conf
+++ b/SOURCES/unbound.conf
@@ -15,30 +15,39 @@ server:
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
- # Needed for munin plugin
+ # Needs to be disabled for munin plugin
statistics-interval: 0
+ # enable shm for stats, default no. if you enable also enable
+ # statistics-interval, every time it also writes stats to the
+ # shared memory segment keyed with shm-key.
+ # shm-enable: no
+
+ # shm for stats uses this key, and key+1 for the shared mem segment.
+ # shm-key: 11777
+
# enable cumulative statistics, without clearing them after printing.
- # Needed for munin plugin
+ # Needs to be disabled for munin plugin
statistics-cumulative: no
# enable extended statistics (query types, answer codes, status)
# printed from unbound-control. default off, because of speed.
- # Needed for munin plugin
+ # Needs to be enabled for munin plugin
extended-statistics: yes
# number of threads to create. 1 disables threading.
- num-threads: 2
+ num-threads: 4
# specify the interfaces to answer queries from by ip-address.
# The default is to listen to localhost (127.0.0.1 and ::1).
# specify 0.0.0.0 and ::0 to bind to all available interfaces.
- # specify every interface on a new 'interface:' labelled line.
+ # specify every interface[@port] on a new 'interface:' labelled line.
# The listen interfaces are not changed on reload, only on restart.
# interface: 0.0.0.0
# interface: ::0
# interface: 192.0.2.153
# interface: 192.0.2.154
+ # interface: 192.0.2.154@5003
# interface: 2001:DB8::5
#
# for dns over tls and raw dns over port 80
@@ -66,20 +75,32 @@ server:
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
+ # Specify a netblock to use remainder 64 bits as random bits for
+ # upstream queries. Uses freebind option (Linux).
+ # outgoing-interface: 2001:DB8::/64
+ # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
+ # And: ip -6 route add local 2001:db8::/64 dev lo
+ # And set prefer-ip6: yes to use the ip6 randomness from a netblock.
+ # Set this to yes to prefer ipv6 upstream servers over ipv4.
+ # prefer-ip6: no
+
# number of ports to allocate per thread, determines the size of the
- # port range that can be open simultaneously.
+ # port range that can be open simultaneously. About double the
+ # num-queries-per-thread, or, use as many as the OS will allow you.
# outgoing-range: 4096
# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
- # outgoing-port-permit: 32768
+ # outgoing-port-permit: 32768-65535
# deny unbound the use this of port number or port range for
# making outgoing queries, using an outgoing interface.
# Use this to make sure unbound does not grab a UDP port that some
# other server on this computer needs. The default is to avoid
# IANA-assigned port numbers.
- # outgoing-port-avoid: "3200-3208"
+ # If multiple outgoing-port-permit and outgoing-port-avoid options
+ # are present, they are processed in order.
+ # outgoing-port-avoid: 0-32767
# number of outgoing simultaneous tcp buffers to hold per thread.
# outgoing-num-tcp: 10
@@ -95,10 +116,29 @@ server:
# 0 is system default. Use 4m to handle spikes on very busy servers.
# so-sndbuf: 0
+ # use SO_REUSEPORT to distribute queries over threads.
+ so-reuseport: yes
+
+ # use IP_TRANSPARENT so the interface: addresses can be non-local
+ # and you can config non-existing IPs that are going to work later on
+ # (uses IP_BINDANY on FreeBSD).
+ ip-transparent: yes
+
+ # use IP_FREEBIND so the interface: addresses can be non-local
+ # and you can bind to nonexisting IPs and interfaces that are down.
+ # Linux only. On Linux you also have ip-transparent that is similar.
+ # ip-freebind: no
+
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
- # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+ # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
+ # Maximum UDP response size (not applied to TCP response).
+ # Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+ # 3072 causes +dnssec any isc.org queries to need TC=1.
+ # Helps mitigating DDOS
+ # max-udp-size: 3072
+
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
@@ -118,6 +158,9 @@ server:
# if very busy, 50% queries run to completion, 50% get timeout in msec
# jostle-timeout: 200
+ # msec to wait before close of port on timeout UDP. 0 disables.
+ # delay-close: 0
+
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
@@ -138,10 +181,13 @@ server:
# the time to live (TTL) value cap for negative responses in the cache
# cache-max-negative-ttl: 3600
- # the time to live (TTL) value for cached roundtrip times, lameness
- # and EDNS version information for hosts. In seconds.
+ # the time to live (TTL) value for cached roundtrip times, lameness and
+ # EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
+ # minimum wait time for responses, increase if uplink is long. In msec.
+ # infra-cache-min-rtt: 50
+
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
@@ -150,6 +196,10 @@ server:
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
+ # define a number of tags here, use with local-zone, access-control.
+ # repeat the define-tag statement to add additional tags.
+ # define-tag: "tag1 tag2 tag3"
+
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@@ -168,7 +218,16 @@ server:
# useful for tunneling scenarios, default no.
# tcp-upstream: no
+ # Maximum segment size (MSS) of TCP socket on which the server
+ # responds to queries. Default is 0, system default MSS.
+ # tcp-mss: 0
+
+ # Maximum segment size (MSS) of TCP socket for outgoing queries.
+ # Default is 0, system default MSS.
+ # outgoing-tcp-mss: 0
+
# Detach from the terminal, run in background, "yes" or "no".
+ # Set the value to "no" when unbound runs as systemd service.
# do-daemonize: yes
# control which clients are allowed to make (recursive) queries
@@ -176,12 +235,31 @@ server:
# By default everything is refused, except for localhost.
# Choose deny (drop message), refuse (polite error reply),
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
+ # deny_non_local (drop queries unless can be answered from local-data)
+ # refuse_non_local (like deny_non_local but polite error reply).
# access-control: 0.0.0.0/0 refuse
# access-control: 127.0.0.0/8 allow
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
+ # tag access-control with list of tags (in "" with spaces between)
+ # Clients using this access control element use localzones that
+ # are tagged with one of these tags.
+ # access-control-tag: 192.0.2.0/24 "tag2 tag3"
+
+ # set action for particular tag for given access control element
+ # if you have multiple tag values, the tag used to lookup the action
+ # is the first tag match between access-control-tag and local-zone-tag
+ # where "first" comes from the order of the define-tag values.
+ # access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+ # set redirect data for particular tag for access control element
+ # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
+ # Set view for access control element
+ # access-control-view: 192.0.2.0/24 viewname
+
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
# for extra security, but make sure all files are in that directory.
@@ -216,6 +294,8 @@ server:
# the working directory. The relative files in this config are
# relative to this directory. If you give "" the working directory
# is not changed.
+ # If you give a server: directory: dir before include: file statements
+ # then those includes can be relative to the working directory.
directory: "/etc/unbound"
# the log file, "" means log to stderr.
@@ -225,15 +305,26 @@ server:
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
+
+ # Log identity to report. if empty, defaults to the name of argv[0]
+ # (usually "unbound").
+ # log-identity: ""
# print UTC timestamp in ascii to logfile, default is epoch in seconds.
log-time-ascii: yes
+ # print one line with time, IP, name, type, class for every query.
+ # log-queries: no
+
+ # print one line per reply, with time, IP, name, type, class, rcode,
+ # timetoresolve, fromcache and responsesize.
+ # log-replies: no
+
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
# file to read root hints from.
- # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
+ # get one from https://www.internic.net/domain/named.cache
# root-hints: ""
# enable to not answer id.server and hostname.bind queries.
@@ -242,6 +333,9 @@ server:
# enable to not answer version.server and version.bind queries.
# hide-version: no
+ # enable to not answer trustanchor.unbound queries.
+ # hide-trustanchor: no
+
# the identity to report. Leave "" or default to return hostname.
# identity: ""
@@ -282,10 +376,30 @@ server:
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
harden-referral-path: yes
+ # Harden against algorithm downgrade when multiple algorithms are
+ # advertised in the DS record. If no, allows the weakest algorithm
+ # to validate the zone.
+ # harden-algo-downgrade: no
+
+ # Sent minimum amount of information to upstream servers to enhance
+ # privacy. Only sent minimum required labels of the QNAME and set QTYPE
+ # to NS when possible.
+ # qname-minimisation: no
+
+ # QNAME minimisation in strict mode. Do not fall-back to sending full
+ # QNAME to potentially broken nameservers. A lot of domains will not be
+ # resolvable when this option in enabled.
+ # This option only has effect when qname-minimisation is enabled.
+ # qname-minimisation-strict: no
+
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
- # (this now fails on all GoDaddy customer domains, so disabled)
- use-caps-for-id: no
+ # use-caps-for-id: no
+
+ # Domains (and domains in them) without support for dns-0x20 and
+ # the fallback fails because they keep sending different answers.
+ # caps-whitelist: "licdn.com"
+ # caps-whitelist: "senderbase.org"
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -295,9 +409,10 @@ server:
# private-address: 10.0.0.0/8
# private-address: 172.16.0.0/12
# private-address: 192.168.0.0/16
- # private-address: 192.254.0.0/16
+ # private-address: 169.254.0.0/16
# private-address: fd00::/8
# private-address: fe80::/10
+ # private-address: ::ffff:0:0/96
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
@@ -332,31 +447,41 @@ server:
# into response messages when those sections are not required.
minimal-responses: yes
+ # true to disable DNSSEC lameness check in iterator.
+ # disable-dnssec-lame-check: no
+
# module configuration of the server. A string with identifiers
- # separated by spaces. "iterator" or "validator iterator"
+ # separated by spaces. Syntax: "[dns64] [validator] iterator"
# module-config: "validator iterator"
+ module-config: "ipsecmod validator iterator"
+
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ #
+ # If you want to perform DNSSEC validation, run unbound-anchor before
+ # you start unbound (i.e. in the system boot scripts). And enable:
+ # Please note usage of unbound-anchor root anchor is at your own risk
+ # and under the terms of our LICENSE (see that file in the source).
+ # auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ # trust anchor signaling sends a RFC8145 key tag query after priming.
+ trust-anchor-signaling: yes
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
- # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
- #
- # ISC's DLV registry is being deprecated in the near future, therefore
- # it is not used in the default configuration. The use of ISC's DLV
- # registry is discouraged.
- # dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
+ # DLV is going to be decommissioned. Please do not use it any more.
+ # dlv-anchor-file: "dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
+ # Note this gets out of date, use auto-trust-anchor-file please.
# trust-anchor-file: ""
- # File with trusted keys, kept uptodate using RFC5011 probes,
- # initial file like trust-anchor-file, then it stores metadata.
- # Use several entries, one per domain name, to track multiple zones.
- # auto-trust-anchor-file: ""
-
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
+ # Note this gets out of date, use auto-trust-anchor-file please.
# (These examples are from August 2007 and may not be valid anymore).
# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
@@ -365,9 +490,9 @@ server:
# with several entries, one file per entry. Like trust-anchor-file
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+ # you need external update procedures to track changes in keys.
# trusted-keys-file: ""
#
- # trusted-keys-file: /etc/unbound/rootkey.bind
trusted-keys-file: /etc/unbound/keys.d/*.key
auto-trust-anchor-file: "/var/lib/unbound/root.key"
@@ -376,7 +501,7 @@ server:
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
- # and expiration. "" or "0" turns the feature off.
+ # and expiration. "" or "0" turns the feature off. -1 ignores date.
# val-override-date: ""
# The time to live for bogus data, rrsets and messages. This avoids
@@ -384,7 +509,7 @@ server:
# val-bogus-ttl: 60
# The signature inception and expiration dates are allowed to be off
- # by 10% of the lifetime of the signature from our local clock.
+ # by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
@@ -403,6 +528,15 @@ server:
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
+ # Ignore the CD flag in incoming queries and refuse them bogus data.
+ # Enable it if the only clients of unbound are legacy servers (w2008)
+ # that set CD but cannot validate themselves.
+ # ignore-cd-flag: no
+
+ # Serve expired responses from cache, with TTL 0 in the response,
+ # and then attempt to fetch the data afresh.
+ # serve-expired: no
+
# Have the validator log failed validations for your diagnosis.
# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
val-log-level: 1
@@ -423,6 +557,10 @@ server:
# If the value 0 is given, missing anchors are not removed.
# keep-missing: 31622400 # 366 days
+ # debug option that allows very small holddown times for key rollover,
+ # otherwise the RFC mandates probe intervals must be at least 1 hour.
+ # permit-small-holddown: no
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -436,16 +574,80 @@ server:
# plain value in bytes or you can append k, m or G. default is "1Mb".
# neg-cache-size: 1m
+ # By default, for a number of zones a small default 'nothing here'
+ # reply is built-in. Query traffic is thus blocked. If you
+ # wish to serve such zone you can unblock them by uncommenting one
+ # of the nodefault statements below.
+ # You may also have to use domain-insecure: zone to make DNSSEC work,
+ # unless you have your own trust anchors for this zone.
+ # local-zone: "localhost." nodefault
+ # local-zone: "127.in-addr.arpa." nodefault
+ # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+ # local-zone: "onion." nodefault
+ # local-zone: "test." nodefault
+ # local-zone: "invalid." nodefault
+ # local-zone: "10.in-addr.arpa." nodefault
+ # local-zone: "16.172.in-addr.arpa." nodefault
+ # local-zone: "17.172.in-addr.arpa." nodefault
+ # local-zone: "18.172.in-addr.arpa." nodefault
+ # local-zone: "19.172.in-addr.arpa." nodefault
+ # local-zone: "20.172.in-addr.arpa." nodefault
+ # local-zone: "21.172.in-addr.arpa." nodefault
+ # local-zone: "22.172.in-addr.arpa." nodefault
+ # local-zone: "23.172.in-addr.arpa." nodefault
+ # local-zone: "24.172.in-addr.arpa." nodefault
+ # local-zone: "25.172.in-addr.arpa." nodefault
+ # local-zone: "26.172.in-addr.arpa." nodefault
+ # local-zone: "27.172.in-addr.arpa." nodefault
+ # local-zone: "28.172.in-addr.arpa." nodefault
+ # local-zone: "29.172.in-addr.arpa." nodefault
+ # local-zone: "30.172.in-addr.arpa." nodefault
+ # local-zone: "31.172.in-addr.arpa." nodefault
+ # local-zone: "168.192.in-addr.arpa." nodefault
+ # local-zone: "0.in-addr.arpa." nodefault
+ # local-zone: "254.169.in-addr.arpa." nodefault
+ # local-zone: "2.0.192.in-addr.arpa." nodefault
+ # local-zone: "100.51.198.in-addr.arpa." nodefault
+ # local-zone: "113.0.203.in-addr.arpa." nodefault
+ # local-zone: "255.255.255.255.in-addr.arpa." nodefault
+ # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+ # local-zone: "d.f.ip6.arpa." nodefault
+ # local-zone: "8.e.f.ip6.arpa." nodefault
+ # local-zone: "9.e.f.ip6.arpa." nodefault
+ # local-zone: "a.e.f.ip6.arpa." nodefault
+ # local-zone: "b.e.f.ip6.arpa." nodefault
+ # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
+ # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
+
+ # If unbound is running service for the local host then it is useful
+ # to perform lan-wide lookups to the upstream, and unblock the
+ # long list of local-zones above. If this unbound is a dns server
+ # for a network of computers, disabled is better and stops information
+ # leakage of local lan information.
+ # unblock-lan-zones: no
+
+ # The insecure-lan-zones option disables validation for
+ # these zones, as if they were all listed as domain-insecure.
+ # insecure-lan-zones: no
+
+ # The insecure-lan-zones option disables validation for
+ # these zones, as if they were all listed as domain-insecure.
+ # insecure-lan-zones: no
+
# a number of locally served zones can be configured.
# local-zone: <zone> <type>
# local-data: "<resource record string>"
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
- # o transparent serves local data, but resolves normally for other names
+ # o transparent gives local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
# o typetransparent resolves normally for other types and other names
+ # o inform resolves normally, but logs client IP address
+ # o inform_deny drops queries and logs client IP address
+ # o always_transparent, always_refuse, always_nxdomain, resolve in
+ # that way but ignore local data for that name.
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@@ -474,25 +676,94 @@ server:
include: /etc/unbound/local.d/*.conf
+ # tag a localzone with a list of tag names (in "" with spaces between)
+ # local-zone-tag: "example.com" "tag2 tag3"
+
+ # add a netblock specific override to a localzone, with zone type
+ # local-zone-override: "example.com" 192.0.2.0/24 refuse
+
# service clients over SSL (on the TCP sockets), with plain DNS inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "/etc/unbound/unbound_server.key"
# ssl-service-pem: "/etc/unbound/unbound_server.pem"
# ssl-port: 443
-
+ #
# request upstream over SSL (with plain DNS inside the SSL stream).
# Default is no. Can be turned on and off with unbound-control.
# ssl-upstream: no
-## Python config section. To enable:
-## o use --with-pythonmodule to configure before compiling.
-## o list python in the module-config string (above) to enable.
-## o and give a python-script to run.
-#python:
-# # Script file to load
-# # python-script: "/etc/unbound/ubmodule-tst.py"
+ # DNS64 prefix. Must be specified when DNS64 is use.
+ # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
+ # dns64-prefix: 64:ff9b::0/96
+
+ # ratelimit for uncached, new queries, this limits recursion effort.
+ # ratelimiting is experimental, and may help against randomqueryflood.
+ # if 0(default) it is disabled, otherwise state qps allowed per zone.
+ # ratelimit: 0
+
+ # ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+ # ratelimit-size: 4m
+ # ratelimit cache slabs, reduces lock contention if equal to cpucount.
+ # ratelimit-slabs: 4
+
+ # 0 blocks when ratelimited, otherwise let 1/xth traffic through
+ # ratelimit-factor: 10
+ # override the ratelimit for a specific domain name.
+ # give this setting multiple times to have multiple overrides.
+ # ratelimit-for-domain: example.com 1000
+ # override the ratelimits for all domains below a domain name
+ # can give this multiple times, the name closest to the zone is used.
+ # ratelimit-below-domain: com 1000
+
+ # global query ratelimit for all ip addresses.
+ # feature is experimental.
+ # if 0(default) it is disabled, otherwise states qps allowed per ip address
+ # ip-ratelimit: 0
+
+ # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+ # ip-ratelimit-size: 4m
+ # ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
+ # ip-ratelimit-slabs: 4
+
+ # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
+ # ip-ratelimit-factor: 10
+
+ # Specific options for ipsecmod.
+ #
+ # Enable or disable ipsecmod (it still needs to be defined in
+ # module-config above). Can be used when ipsecmod needs to be
+ # enabled/disabled via remote-control(below).
+ ipsecmod-enabled: no
+ #
+ # Path to executable external hook. It must be defined when ipsecmod is
+ # listed in module-config (above).
+ ipsecmod-hook: "/usr/libexec/ipsec/_unbound-hook"
+ #
+ # When enabled unbound will reply with SERVFAIL if the return value of
+ # the ipsecmod-hook is not 0.
+ # ipsecmod-strict: no
+ #
+ # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+ # ipsecmod-max-ttl: 3600
+ #
+ # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+ # testing.
+ # ipsecmod-ignore-bogus: no
+ #
+ # Domains for which ipsecmod will be triggered. If not defined (default)
+ # all domains are treated as being whitelisted.
+ # ipsecmod-whitelist: "example.com"
+ # ipsecmod-whitelist: "nlnetlabs.nl"
+
+# Python config section. To enable:
+# o use --with-pythonmodule to configure before compiling.
+# o list python in the module-config string (above) to enable.
+# o and give a python-script to run.
+python:
+ # Script file to load
+ # python-script: "/etc/unbound/ubmodule-tst.py"
# Remote control config section.
remote-control:
@@ -501,13 +772,17 @@ remote-control:
# Note: required for unbound-munin package
control-enable: yes
+ # Set to no and use an absolute path as control-interface to use
+ # a unix local named pipe for unbound-control.
+ # control-use-cert: yes
+
# what interfaces are listened to for remote control.
# give 0.0.0.0 and ::0 to listen to all interfaces.
# control-interface: 127.0.0.1
# control-interface: ::1
# port number for remote control operations.
- # control-port: 953
+ # control-port: 8953
# unbound server key file.
server-key-file: "/etc/unbound/unbound_server.key"
@@ -522,7 +797,6 @@ remote-control:
control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
-
include: /etc/unbound/conf.d/*.conf
# Stub zones.
@@ -530,13 +804,19 @@ include: /etc/unbound/conf.d/*.conf
# 'example.org' go to the given list of nameservers. list zero or more
# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
# the list is treated as priming hints (default is no).
+# With stub-first yes, it attempts without the stub if it fails.
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
# stub-zone:
# name: "example.com"
# stub-addr: 192.0.2.68
-# stub-prime: "no"
+# stub-prime: no
+# stub-first: no
+# stub-ssl-upstream: no
# stub-zone:
# name: "example.org"
# stub-host: ns.example.com.
+
# You can now also dynamically create and delete stub-zone's using
# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
@@ -552,6 +832,7 @@ include: /etc/unbound/conf.d/*.conf
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
+# forward-ssl-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
@@ -559,3 +840,21 @@ include: /etc/unbound/conf.d/*.conf
# You can now also dynamically create and delete forward-zone's using
# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
+
+# Views
+# Create named views. Name must be unique. Map views to requests using
+# the access-control-view option. Views can contain zero or more local-zone
+# and local-data options. Options from matching views will override global
+# options. Global options will be used if no matching view is found.
+# With view-first yes, it will try to answer using the global local-zone and
+# local-data elements if there is no view specific match.
+# view:
+# name: "viewname"
+# local-zone: "example.com" redirect
+# local-data: "example.com A 192.0.2.3"
+# local-data-ptr: "192.0.2.3 www.example.com"
+# view-first: no
+# view:
+# name: "anotherview"
+# local-zone: "example.com" refuse
+
diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec
index faf9ae4..fcb5457 100644
--- a/SPECS/unbound.spec
+++ b/SPECS/unbound.spec
@@ -1,5 +1,6 @@
%{?!with_python: %global with_python 1}
-%{?!with_munin: %global with_munin 0}
+%{?!with_munin: %global with_munin 0}
+%{?!with_test: %global with_test 1}
%if %{with_python}
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
@@ -10,11 +11,11 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.4.20
-Release: 34%{?dist}
+Version: 1.6.6
+Release: 1%{?dist}
License: BSD
-Url: http://www.nlnetlabs.nl/unbound/
-Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
+Url: https://unbound.net/
+Source: https://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.service
Source2: unbound.conf
Source3: unbound.munin
@@ -26,29 +27,30 @@ Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
-# From http://data.iana.org/root-anchors/icannbundle.pem
-Source12: icannbundle.pem
+Source12: https://data.iana.org/root-anchors/icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
-Patch1: unbound-1.4.20-roundrobin.patch
-Patch2: unbound-1.4.20-streamtcp-manpage.patch
-Patch3: unbound-1.4.20-coverity_scan.patch
-Patch4: unbound-1.4.20-CVE-2014-8602.patch
-Patch5: unbound-1.4.20-cache-max-negative-ttl.patch
-Patch6: unbound-1.4.20-longcheck-fixup.patch
-Patch7: unbound-1.4.20-trust-anchor.patch
-
+Patch1: unbound-1.6.3-longcheck-fixup.patch
+Patch3: unbound-1.6.3-print-test-fails.patch
+Patch4: unbound-1.6.3-coverity.patch
+# Randomize outgoing port too, do not fail on two running builds on one host
+Patch5: unbound-1.6.6-test-fwd_oneport.patch
Group: System Environment/Daemons
-BuildRequires: openssl-devel , ldns-devel >= 1.6.16-10
+BuildRequires: openssl-devel
+%if %{with_test}
# needed for the test suite
BuildRequires: bind-utils
+BuildRequires: ldns
+BuildRequires: vim-common nmap-ncat
+%endif
# needed to regenerate configparser
BuildRequires: flex, byacc
BuildRequires: libevent-devel expat-devel
+BuildRequires: pkgconfig
%if %{with_python}
BuildRequires: python-devel swig
%endif
@@ -59,7 +61,6 @@ BuildRequires: systemd-units
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
-Requires: ldns >= 1.6.16-10
Requires(pre): shadow-utils
# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@@ -90,7 +91,8 @@ Plugin for the munin / munin-node monitoring package
%package devel
Summary: Development package that includes the unbound header files
Group: Development/Libraries
-Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel, ldns-devel
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
+Requires: pkgconfig
%description devel
The devel package contains the unbound library and the include files
@@ -131,13 +133,10 @@ Python modules and extensions for unbound
%prep
%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p0
-%patch5 -p1 -b .cache-max-negative-ttl
-%patch6 -p1 -b .longcheck-fixup
-%patch7 -p1 -b .root-anchor
+%patch1 -p1 -b .longcheck-fixup
+%patch3 -p1 -b .testlog
+%patch4 -p1 -b .coverity
+%patch5 -p1 -b .test-fwd_oneport
# regrnerate config parser due to new options added
echo "#include \"config.h\"" > util/configlexer.c || echo "Failed to create configlexer"
@@ -146,8 +145,9 @@ flex -i -t util/configlexer.lex >> util/configlexer.c || echo "Failed to create
yacc -y -d -o util/configparser.c util/configparser.y || echo "Failed to create configparser"
%build
-%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
+%configure --with-libevent --with-pthreads --with-ssl \
--disable-rpath --disable-static \
+ --enable-subnet --enable-ipsecmod \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
@@ -161,6 +161,7 @@ yacc -y -d -o util/configparser.c util/configparser.y || echo "Failed to create
%install
%{__make} DESTDIR=%{buildroot} install
+%{__make} DESTDIR=%{buildroot} unbound-event-install
install -d 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
@@ -186,6 +187,9 @@ install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
+install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
+
+
# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf
@@ -260,8 +264,10 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control
%files devel
%{_libdir}/libunbound.so
%{_includedir}/unbound.h
+%{_includedir}/unbound-event.h
%{_mandir}/man3/*
%doc README
+%{_libdir}/pkgconfig/*.pc
%files libs
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
@@ -336,10 +342,26 @@ fi
%check
-make check
-make longcheck
+%if %{with_test}
+ make check
+ make longcheck
+%endif
%changelog
+* Wed Oct 11 2017 Petr Menšík <pemensik@redhat.com> - 1.6.6-1
+- Rebase to 1.6.6
+- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics
+- Enable ipsecmod support
+
+* Sun Sep 17 2017 Petr Menšík <pemensik@redhat.com> - 1.6.3-3
+- Update project website and ICANN key
+
+* Wed Aug 30 2017 Petr Menšík <pemensik@redhat.com> - 1.6.3-2
+- Install unbound-event.h
+
+* Fri Aug 18 2017 Petr Menšík <pemensik@redhat.com> - 1.6.3-1
+- Rebase to 1.6.3
+
* Fri Jun 02 2017 Petr Menšík <pemensik@redhat.com> - 1.4.20-34
- Make merge of updated database more safe