diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..91e53cc --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/unbound-1.13.1.tar.gz diff --git a/.unbound.metadata b/.unbound.metadata new file mode 100644 index 0000000..18eae4c --- /dev/null +++ b/.unbound.metadata @@ -0,0 +1 @@ +561522b06943f6d1c33bd78132db1f7020fc4fd1 SOURCES/unbound-1.13.1.tar.gz diff --git a/SOURCES/block-example.com.conf b/SOURCES/block-example.com.conf new file mode 100644 index 0000000..4807448 --- /dev/null +++ b/SOURCES/block-example.com.conf @@ -0,0 +1,10 @@ +# entries in this file override toe global DNS +# +# Example blocking email going out to example.com +# +# local-data: "example.com. 3600 IN MX 5 127.0.0.1" +# local-data: "example.com. 3600 IN A 127.0.0.1" + +# This can also be done dynamically using: unbound-control local-data [...] + +# For more complicated redirection, use conf.d/ with stub-add: or forward-add: diff --git a/SOURCES/example.com.conf b/SOURCES/example.com.conf new file mode 100644 index 0000000..30f7f03 --- /dev/null +++ b/SOURCES/example.com.conf @@ -0,0 +1,17 @@ +# Example of an override of the "public DNS tree" with an "internal view" +# override, for example to add an internal-only corporate DNS zone. +# +# The stub-zone/stub-addr must point to AUTHORITATIVE servers. If you want to +# point to an internal RECURSIVE server, use forward-zone/forward-addr instead. + +#stub-zone: +# name: example.com +# stub-prime: no +# # if you could trust a lookup, use: +# stub-host: a.iana-servers.net. +# stub-host: b.iana-servers.net. +# # else specify the IP's using: +# stub-addr: 199.43.132.53 +# stub-addr: 2001:500:8c::53 +# stub-addr: 199.43.133.53 +# stub-addr: 2001:500:8d::53 diff --git a/SOURCES/example.com.key b/SOURCES/example.com.key new file mode 100644 index 0000000..a70c13f --- /dev/null +++ b/SOURCES/example.com.key @@ -0,0 +1,7 @@ +; // format is BIND trusted-keys format +; // Ensure to only put KSKs (usually 257) here, not ZSKs (usually 256) + +; // trusted-keys { +; // "example.com." 257 3 8 "AwEAAawt7HplI5M8GGAsxuyCyjF0l+QlcgVN11CRZ4vP66qbDCX0BnShZ11BGb//4zSG/8mmBHirL2FLg+mVuIIxig+iroZYjh4iTKVOhv2hZftRwyrQHK++qXvCCWN3ki51RG/e8R4kOEV71rZ8OgQvPWx6F91qroqOPpcf7PPxippeHOn+PxnP0hpyLyo1mx1rPs/cMpL3jOMufGP+LJYh+fBU7lt0sP5i09HaJPruzyZML9BPtpv8ZAdQhwtXVG0+MnET2qT/1+TljpxZn6yeegFRCFRHBjMo6iiRJnUWra/klkrgEn2Q+BXGTOMTTKQdYz4OxYEa1z7apu3a09dYNBM="; // key id = 51605 +; // "example.com." 257 3 8 "AwEAAeikvxboZpn9VCxm3YDLHo40SvA9EmRwJHHQyJ0OCzrQSRBSipojrW7yESXWiDDyzflS8rgzDs7M3fIdSduOdyNi55DmXPdkS8HYORTMNyzFsSOg+xx6tUySK2p4WAhlbsJNLz4IkQCek59NoDBOLyQ15npsr7Tgfb/HHU7zmCMvnxh0SqO2lyhnQfk29Thc3nC4KNJNb3drjWKOuCw5mg+2GrEZYc/VqdeGvrOCQ2el8jWZpSU5cxb7EdEy4B9nEeZiBpHXaZ5XJ+ewi4vmcUK5/445mGJqV4rDeicy5/ShC/BJ81v3bIRPWebvDRJmDbjr2d9MnLXUE7yyETrQd18="; // key id = 31589 +; // }; diff --git a/SOURCES/icannbundle.pem b/SOURCES/icannbundle.pem new file mode 100644 index 0000000..d76ce0b --- /dev/null +++ b/SOURCES/icannbundle.pem @@ -0,0 +1,237 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:19:12 2009 GMT + Not After : Dec 18 04:19:12 2029 GMT + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: + 85:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + Signature Algorithm: sha256WithRSAEncryption + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: + e7:40:61:a4 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 11 (0xb) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Nov 8 23:39:47 2016 GMT + Not After : Nov 6 23:39:47 2026 GMT + Subject: O=ICANN, CN=ICANN EMAIL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: + 4d:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 + Signature Algorithm: sha256WithRSAEncryption + 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18: + 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87: + 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af: + 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4: + 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d: + 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71: + e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e: + b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd: + d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46: + ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd: + 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff: + 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e: + 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b: + e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf: + be:7e:36:be +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX +DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj +tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr +SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE +lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb +CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0 +DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI +SMNGv75+Nr4= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10 (0xa) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Nov 8 23:38:16 2016 GMT + Not After : Nov 6 23:38:16 2026 GMT + Subject: O=ICANN, CN=ICANN SSL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: + e2:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 + Signature Algorithm: sha256WithRSAEncryption + 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4: + 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97: + cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69: + 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54: + 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08: + 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e: + fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81: + e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88: + f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d: + c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a: + 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50: + 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e: + 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a: + 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99: + 2d:70:f2:08 +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX +DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8 +K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq +tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR +Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU +C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC +jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur +T5ktcPII +-----END CERTIFICATE----- diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor new file mode 100644 index 0000000..c78ee03 --- /dev/null +++ b/SOURCES/root.anchor @@ -0,0 +1 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/SOURCES/root.key b/SOURCES/root.key new file mode 100644 index 0000000..6c5622c --- /dev/null +++ b/SOURCES/root.key @@ -0,0 +1,6 @@ +; // The root key in bind format. This can be read by most tools, including +; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this +trusted-keys { +"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 + +}; diff --git a/SOURCES/tmpfiles-unbound.conf b/SOURCES/tmpfiles-unbound.conf new file mode 100644 index 0000000..bb88f01 --- /dev/null +++ b/SOURCES/tmpfiles-unbound.conf @@ -0,0 +1 @@ +D /run/unbound 0755 unbound unbound - diff --git a/SOURCES/unbound-1.13.1-rh1952814.patch b/SOURCES/unbound-1.13.1-rh1952814.patch new file mode 100644 index 0000000..261ed20 --- /dev/null +++ b/SOURCES/unbound-1.13.1-rh1952814.patch @@ -0,0 +1,204 @@ +diff --git a/config.h.in b/config.h.in +index 103ad9f..0bb29d9 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -847,6 +847,14 @@ + /* Define if you enable libevent */ + #undef USE_LIBEVENT + ++/* WARNING! This is only for the libunbound on Linux and does not affect ++ unbound resolving daemon itself. This may severely limit the number of ++ available outgoing ports and thus decrease randomness. Define this only ++ when the target system restricts (e.g. some of SELinux enabled ++ distributions) the use of non-ephemeral ports. Define this to enable use of ++ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */ ++#undef USE_LINUX_IP_LOCAL_PORT_RANGE ++ + /* Define if you want to use internal select based events */ + #undef USE_MINI_EVENT + +diff --git a/configure b/configure +index c91e8a3..826dce9 100755 +--- a/configure ++++ b/configure +@@ -898,6 +898,7 @@ enable_ipsecmod + enable_ipset + with_libmnl + enable_explicit_port_randomisation ++enable_linux_ip_local_port_range + with_libunbound_only + ' + ac_precious_vars='build_alias +@@ -1590,6 +1591,16 @@ Optional Features: + --disable-explicit-port-randomisation + disable explicit source port randomisation and rely + on the kernel to provide random source ports ++ --enable-linux-ip-local-port-range ++ WARNING! This is only for the libunbound on Linux ++ and does not affect unbound resolving daemon itself. ++ This may severely limit the number of available ++ outgoing ports and thus decrease randomness. Use ++ this option only when the target system restricts ++ the use of non-ephemeral ports. (e.g. some of ++ SELinux enabled distributions) Enable this option to ++ use /proc/sys/net/ipv4/ip_local_port_range as a ++ default outgoing port range + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -4202,6 +4213,13 @@ else + else on_mingw="no"; fi + fi + ++# are we on Linux? ++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" ++else ++ if echo $host $target | grep linux >/dev/null; then on_linux="yes" ++ else on_linux="no"; fi ++fi ++ + # + # Determine configuration file + # the eval is to evaluate shell expansion twice +@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h + ;; + esac + ++if test $on_linux = "yes"; then ++ # Check whether --enable-linux-ip-local-port-range was given. ++if test "${enable_linux_ip_local_port_range+set}" = set; then : ++ enableval=$enable_linux_ip_local_port_range; ++fi ++ ++ case "$enable_linux_ip_local_port_range" in ++ yes) ++ ++$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h ++ ++ ;; ++ no|*) ++ ;; ++ esac ++fi ++ + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 + $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } +diff --git a/configure.ac b/configure.ac +index 2d88048..1207047 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -152,6 +152,13 @@ else + else on_mingw="no"; fi + fi + ++# are we on Linux? ++if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" ++else ++ if echo $host $target | grep linux >/dev/null; then on_linux="yes" ++ else on_linux="no"; fi ++fi ++ + # + # Determine configuration file + # the eval is to evaluate shell expansion twice +@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in + ;; + esac + ++if test $on_linux = "yes"; then ++ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range])) ++ case "$enable_linux_ip_local_port_range" in ++ yes) ++ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.]) ++ ;; ++ no|*) ++ ;; ++ esac ++fi ++ + + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) + # on openBSD, the implicit rule make $< work. +diff --git a/libunbound/context.c b/libunbound/context.c +index cff2831..48d76d9 100644 +--- a/libunbound/context.c ++++ b/libunbound/context.c +@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx) + } else { + log_init(cfg->logfile, cfg->use_syslog, NULL); + } ++ cfg_apply_local_port_policy(cfg, 65536); + config_apply(cfg); + if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) + return UB_INITFAIL; +diff --git a/util/config_file.c b/util/config_file.c +index 4d87dee..6b90e48 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) + return num; + } + ++void cfg_apply_local_port_policy(struct config_file* cfg, int num) { ++(void)cfg; ++(void)num; ++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE ++ { ++ int i = 0; ++ FILE* range_fd; ++ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { ++ int min_port = 0; ++ int max_port = num - 1; ++ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { ++ for(i=0; ioutgoing_avail_ports[i] = 0; ++ } ++ for(i=max_port+1; ioutgoing_avail_ports[i] = 0; ++ } ++ } else { ++ log_err("unexpected port range in %s", ++ LINUX_IP_LOCAL_PORT_RANGE_PATH); ++ } ++ fclose(range_fd); ++ } else { ++ log_warn("failed to read from file: %s (%s)", ++ LINUX_IP_LOCAL_PORT_RANGE_PATH, ++ strerror(errno)); ++ } ++ } ++#endif ++} ++ + /** print error with file and line number */ + static void ub_c_error_va_list(const char *fmt, va_list args) + { +diff --git a/util/config_file.h b/util/config_file.h +index 7cf27cc..d091ef7 100644 +--- a/util/config_file.h ++++ b/util/config_file.h +@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); + */ + int cfg_condense_ports(struct config_file* cfg, int** avail); + ++/** ++ * Apply system specific port range policy. ++ * @param cfg: config file. ++ * @param num: size of the array (65536). ++ */ ++void cfg_apply_local_port_policy(struct config_file* cfg, int num); ++ + /** + * Scan ports available + * @param avail: the array from cfg. +@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg); + /** debug option for unit tests. */ + extern int fake_dsa, fake_sha1; + ++#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE ++#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" ++#endif ++ + #endif /* UTIL_CONFIG_FILE_H */ + diff --git a/SOURCES/unbound-1.13.1-rh1977400.patch b/SOURCES/unbound-1.13.1-rh1977400.patch new file mode 100644 index 0000000..6447e5e --- /dev/null +++ b/SOURCES/unbound-1.13.1-rh1977400.patch @@ -0,0 +1,12 @@ +diff --git a/util/net_help.c b/util/net_help.c +index 3b5527a..42a7666 100644 +--- a/util/net_help.c ++++ b/util/net_help.c +@@ -1172,6 +1172,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { + log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); ++ SSL_CTX_free(ctx); + return 0; + } + #endif diff --git a/SOURCES/unbound-1.13.1-rh1977401.patch b/SOURCES/unbound-1.13.1-rh1977401.patch new file mode 100644 index 0000000..4c4c42d --- /dev/null +++ b/SOURCES/unbound-1.13.1-rh1977401.patch @@ -0,0 +1,19 @@ +diff --git a/dns64/dns64.c b/dns64/dns64.c +index c79bc9c..fddbc62 100644 +--- a/dns64/dns64.c ++++ b/dns64/dns64.c +@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id, + switch(event) { + case module_event_new: + /* Tag this query as being new and fall through. */ +- iq = (struct dns64_qstate*)regional_alloc( +- qstate->region, sizeof(*iq)); ++ if (!(iq = (struct dns64_qstate*)regional_alloc( ++ qstate->region, sizeof(*iq)))) { ++ log_err("out of memory"); ++ qstate->ext_state[id] = module_error; ++ return; ++ } + qstate->minfo[id] = iq; + iq->state = DNS64_NEW_QUERY; + iq->started_no_cache_store = qstate->no_cache_store; diff --git a/SOURCES/unbound-1.13.1-rh1991005.patch b/SOURCES/unbound-1.13.1-rh1991005.patch new file mode 100644 index 0000000..01264ca --- /dev/null +++ b/SOURCES/unbound-1.13.1-rh1991005.patch @@ -0,0 +1,15 @@ +diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c +index d58f1b2..5bfe15b 100644 +--- a/smallapp/unbound-control.c ++++ b/smallapp/unbound-control.c +@@ -492,9 +492,7 @@ static void ssl_path_err(const char* s, const char *path) + { + unsigned long err; + err = ERR_peek_error(); +- if (ERR_GET_LIB(err) == ERR_LIB_SYS && +- (ERR_GET_FUNC(err) == SYS_F_FOPEN || +- ERR_GET_FUNC(err) == SYS_F_FREAD) ) { ++ if (ERR_GET_LIB(err) == ERR_LIB_SYS) { + fprintf(stderr, "error: %s\n%s: %s\n", + s, path, ERR_reason_error_string(err)); + exit(1); diff --git a/SOURCES/unbound-1.13.1.tar.gz.asc b/SOURCES/unbound-1.13.1.tar.gz.asc new file mode 100644 index 0000000..8124842 --- /dev/null +++ b/SOURCES/unbound-1.13.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmAiOawACgkQn28cLX4E +X40R5A//ex9Fe0bR/JQNcpXAFMZ8Wvj7KOW+2VhUsPqVL8s3Iew/hlIqlmP4/dIG +htygqy8I1VbyIQIJ7HSkQderPLMjyDw7+K7fCNhzzPZO+OMAiXsSslvKXrCBClGI +1MOAPsKpfV9C9yf4w8t5orvvxHlw21Vqnh9LTcAQekw1+NhCUw3uiLuIkyU4RLS8 +LYdlWOuVhOe6cmR4XTZPGR8zlMZ7Owzgi+o3+g1Gknsr09B28ttJe9LuOg3jHp6I +LKRpROGZs+8iqYylb85mfEIwRO1lpj+k9D4A+CnJyhY9nUP4k9b/Ywe6qS16yWAs +s8mzZtAjAgrRCsM+C6hwVo0I2P9mVVy9WfFHNt1Mp4P4XdPbSc2CXLfyBfNkx1ty +kMnGBiehHC9oZ4QAwTnJ/Bevi0C5OlRt9BIVwvA0ymWGOOHXE4i2SxhUWMEx399s +2Uqpr3mBd0ZO0HRvKNOY14vF/O1ja+oNTPvnMJyzZKUeTRRHaKF1dr3fNrXlACtE +GgHihHGaVSM1PA5z4S5Jo6PuZqwn+QBCUYhjFjlsF5d6h8srksxJAnh4GbPRJiUl +AJEUSCQFOk6dJmrWVLDa+MP003T5DfouJzQX5WZr+M5fNVD1xhZs49Ea4ATSZPrw +SM+/n+G/UlFue89qqvCrTMErNBXKINRZlir7yIi4UsEiyDUal2E= +=n/aJ +-----END PGP SIGNATURE----- diff --git a/SOURCES/unbound-anchor.service b/SOURCES/unbound-anchor.service new file mode 100644 index 0000000..cd949e5 --- /dev/null +++ b/SOURCES/unbound-anchor.service @@ -0,0 +1,9 @@ +[Unit] +Description=update of the root trust anchor for DNSSEC validation in unbound +Documentation=man:unbound-anchor(8) + +[Service] +Type=oneshot +User=unbound +ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +SuccessExitStatus=1 diff --git a/SOURCES/unbound-anchor.timer b/SOURCES/unbound-anchor.timer new file mode 100644 index 0000000..a87bf5c --- /dev/null +++ b/SOURCES/unbound-anchor.timer @@ -0,0 +1,14 @@ +[Unit] +Description=daily update of the root trust anchor for DNSSEC +Documentation=man:unbound-anchor(8) + +[Timer] +# Current DNSKEY TTL in root zone is 172800 seconds, i.e. 172800/60/60/24 = 2 days. +# It means that unboud-anchor should be run at least once a day. +OnCalendar=daily +Persistent=true +AccuracySec=24h + +[Install] +WantedBy=timers.target + diff --git a/SOURCES/unbound-keygen.service b/SOURCES/unbound-keygen.service new file mode 100644 index 0000000..f5e6535 --- /dev/null +++ b/SOURCES/unbound-keygen.service @@ -0,0 +1,19 @@ +[Unit] +Description=Unbound Control Key And Certificate Generator +After=syslog.target +Before=unbound.service +ConditionPathExists=|!/etc/unbound/unbound_control.pem +ConditionPathExists=|!/etc/unbound/unbound_control.key +ConditionPathExists=|!/etc/unbound/unbound_server.pem +ConditionPathExists=|!/etc/unbound/unbound_server.key +PartOf=unbound.service + +[Service] +Type=oneshot +Group=unbound +ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ +ExecStart=/sbin/restorecon /etc/unbound/* +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/unbound-munin.README b/SOURCES/unbound-munin.README new file mode 100644 index 0000000..8fa4329 --- /dev/null +++ b/SOURCES/unbound-munin.README @@ -0,0 +1,5 @@ + +To activate the munin plugins, run (as root): + +cd /etc/munin/plugins +for i in /usr/share/munin/plugins/unbound_*; do ln -s $i; done diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf new file mode 100644 index 0000000..e414f9c --- /dev/null +++ b/SOURCES/unbound.conf @@ -0,0 +1,1184 @@ +# +# Example configuration file. +# +# See unbound.conf(5) man page +# +# this is a comment. + +# Use this anywhere in the file to include other text into this file. +#include: "otherfile.conf" + +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + +# The server clause sets the main parameters. +server: + # whitespace is not necessary, but looks cleaner. + + # verbosity number, 0 is least verbose. 1 is default. + verbosity: 1 + + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # Needs to be disabled for munin plugin + statistics-interval: 0 + + # enable shm for stats, default no. if you enable also enable + # statistics-interval, every time it also writes stats to the + # shared memory segment keyed with shm-key. + # shm-enable: no + + # shm for stats uses this key, and key+1 for the shared mem segment. + # shm-key: 11777 + + # enable cumulative statistics, without clearing them after printing. + # Needs to be disabled for munin plugin + statistics-cumulative: no + + # enable extended statistics (query types, answer codes, status) + # printed from unbound-control. default off, because of speed. + # Needs to be enabled for munin plugin + extended-statistics: yes + + # number of threads to create. 1 disables threading. + num-threads: 4 + + # specify the interfaces to answer queries from by ip-address. + # The default is to listen to localhost (127.0.0.1 and ::1). + # specify 0.0.0.0 and ::0 to bind to all available interfaces. + # specify every interface[@port] on a new 'interface:' labelled line. + # The listen interfaces are not changed on reload, only on restart. + # interface: 0.0.0.0 + # interface: ::0 + # interface: 192.0.2.153 + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 + # + # for dns over tls and raw dns over port 80 + # interface: 0.0.0.0@443 + # interface: ::0@443 + # interface: 0.0.0.0@80 + # interface: ::0@80 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. + # interface-automatic: yes + # + # NOTE: Enable this option when specifying interface 0.0.0.0 or ::0 + # NOTE: Disabled per Fedora policy not to listen to * on default install + # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled + interface-automatic: no + + # port to answer queries from + # port: 53 + + # specify the interfaces to send outgoing queries to authoritative + # server from by ip-address. If none, the default (all) interface + # is used. Specify every interface on a 'outgoing-interface:' line. + # outgoing-interface: 192.0.2.153 + # outgoing-interface: 2001:DB8::5 + # outgoing-interface: 2001:DB8::6 + + # Specify a netblock to use remainder 64 bits as random bits for + # upstream queries. Uses freebind option (Linux). + # outgoing-interface: 2001:DB8::/64 + # Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo + # And: ip -6 route add local 2001:db8::/64 dev lo + # And set prefer-ip6: yes to use the ip6 randomness from a netblock. + # Set this to yes to prefer ipv6 upstream servers over ipv4. + # prefer-ip6: no + + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + + # number of ports to allocate per thread, determines the size of the + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. + # outgoing-range: 4096 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. + # Only ephemeral ports are allowed by SElinux + outgoing-port-permit: 32768-60999 + + # deny unbound the use this of port number or port range for + # making outgoing queries, using an outgoing interface. + # Use this to make sure unbound does not grab a UDP port that some + # other server on this computer needs. The default is to avoid + # IANA-assigned port numbers. + # If multiple outgoing-port-permit and outgoing-port-avoid options + # are present, they are processed in order. + # Our SElinux policy does not allow non-ephemeral ports to be used + outgoing-port-avoid: 0-32767 + outgoing-port-avoid: 61000-65535 + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. + # so-rcvbuf: 0 + + # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). + # 0 is system default. Use 4m to handle spikes on very busy servers. + # so-sndbuf: 0 + + # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. + so-reuseport: yes + + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # (uses IP_BINDANY on FreeBSD). + ip-transparent: yes + + # use IP_FREEBIND so the interface: addresses can be non-local + # and you can bind to nonexisting IPs and interfaces that are down. + # Linux only. On Linux you also have ip-transparent that is similar. + # ip-freebind: no + + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer + # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts) + # edns-buffer-size: 1232 + + # Maximum UDP response size (not applied to TCP response). + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # 3072 causes +dnssec any isc.org queries to need TC=1. + # Helps mitigating DDOS + max-udp-size: 3072 + + # max memory to use for stream(tcp and tls) waiting result buffers. + # stream-wait-size: 4m + + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 + + # msec to wait before close of port on timeout UDP. 0 disables. + # delay-close: 0 + + # perform connect for UDP sockets to mitigate ICMP side channel. + # udp-connect: yes + + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # cache-min-ttl: 0 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 + + # minimum wait time for responses, increase if uplink is long. In msec. + # infra-cache-min-rtt: 50 + + # enable to make server probe down hosts more frequently. + # infra-keep-probing: no + + # the number of slabs to use for the Infrastructure cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 + + # the maximum number of hosts that are cached (roundtrip, EDNS, lame). + # infra-cache-numhosts: 10000 + + # define a number of tags here, use with local-zone, access-control. + # repeat the define-tag statement to add additional tags. + # define-tag: "tag1 tag2 tag3" + + # Enable IPv4, "yes" or "no". + # do-ip4: yes + + # Enable IPv6, "yes" or "no". + # do-ip6: yes + + # Enable UDP, "yes" or "no". + # NOTE: if setting up an unbound on tls443 for public use, you might want to + # disable UDP to avoid being used in DNS amplification attacks. + # do-udp: yes + + # Enable TCP, "yes" or "no". + # do-tcp: yes + + # upstream connections use TCP only (and no UDP), "yes" or "no" + # useful for tunneling scenarios, default no. + # tcp-upstream: no + + # upstream connections also use UDP (even if do-udp is no). + # useful if if you want UDP upstream, but don't provide UDP downstream. + # udp-upstream-without-downstream: no + + # Maximum segment size (MSS) of TCP socket on which the server + # responds to queries. Default is 0, system default MSS. + # tcp-mss: 0 + + # Maximum segment size (MSS) of TCP socket for outgoing queries. + # Default is 0, system default MSS. + # outgoing-tcp-mss: 0 + + # Idle TCP timeout, connection closed in milliseconds + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 + + # Fedora note: do not activate this - can cause a crash + # Use systemd socket activation for UDP, TCP, and control sockets. + # use-systemd: no + + # Detach from the terminal, run in background, "yes" or "no". + # Set the value to "no" when unbound runs as systemd service. + # do-daemonize: yes + + # control which clients are allowed to make (recursive) queries + # to this server. Specify classless netblocks with /size and action. + # By default everything is refused, except for localhost. + # Choose deny (drop message), refuse (polite error reply), + # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), + # allow_snoop (recursive and nonrecursive ok) + # deny_non_local (drop queries unless can be answered from local-data) + # refuse_non_local (like deny_non_local but polite error reply). + # access-control: 0.0.0.0/0 refuse + # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow + + # tag access-control with list of tags (in "" with spaces between) + # Clients using this access control element use localzones that + # are tagged with one of these tags. + # access-control-tag: 192.0.2.0/24 "tag2 tag3" + + # set action for particular tag for given access control element + # if you have multiple tag values, the tag used to lookup the action + # is the first tag match between access-control-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # access-control-tag-action: 192.0.2.0/24 tag3 refuse + + # set redirect data for particular tag for access control element + # access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1" + + # Set view for access control element + # access-control-view: 192.0.2.0/24 viewname + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, + # for extra security, but make sure all files are in that directory. + # + # If chroot is enabled, you should pass the configfile (from the + # commandline) as a full path from the original root. After the + # chroot has been performed the now defunct portion of the config + # file path is removed to be able to reread the config after a reload. + # + # All other file paths (working dir, logfile, roothints, and + # key files) can be specified in several ways: + # o as an absolute path relative to the new root. + # o as a relative path to the working directory. + # o as an absolute path relative to the original root. + # In the last case the path is adjusted to remove the unused portion. + # + # The pid file can be absolute and outside of the chroot, it is + # written just prior to performing the chroot and dropping permissions. + # + # Additionally, unbound may need to access /dev/urandom (for entropy). + # How to do this is specific to your OS. + # + # If you give "" no chroot is performed. The path must not end in a /. + # chroot: "/var/lib/unbound" + chroot: "" + + # if given, user privileges are dropped (after binding port), + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + username: "unbound" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory + # is not changed. + # If you give a server: directory: dir before include: file statements + # then those includes can be relative to the working directory. + directory: "/etc/unbound" + + # the log file, "" means log to stderr. + # Use of this option sets use-syslog to "no". + # logfile: "" + + # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to + # log to. If yes, it overrides the logfile. + # use-syslog: yes + + # Log identity to report. if empty, defaults to the name of argv[0] + # (usually "unbound"). + # log-identity: "" + + # print UTC timestamp in ascii to logfile, default is epoch in seconds. + log-time-ascii: yes + + # print one line with time, IP, name, type, class for every query. + # log-queries: no + + # print one line per reply, with time, IP, name, type, class, rcode, + # timetoresolve, fromcache and responsesize. + # log-replies: no + + # log with tag 'query' and 'reply' instead of 'info' for + # filtering log-queries and log-replies from the log. + # log-tag-queryreply: no + + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + + # the pid file. Can be an absolute path outside of chroot/work dir. + pidfile: "/var/run/unbound/unbound.pid" + + # file to read root hints from. + # get one from https://www.internic.net/domain/named.cache + # root-hints: "" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no + + # enable to not answer version.server and version.bind queries. + # hide-version: no + + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # enable to not answer trustanchor.unbound queries. + # hide-trustanchor: no + + # the identity to report. Leave "" or default to return hostname. + # identity: "" + + # the version to report. Leave "" or default to return package version. + # version: "" + + # the target fetch policy. + # series of integers describing the policy per dependency depth. + # The number of values in the list determines the maximum dependency + # depth the recursor will pursue before giving up. Each integer means: + # -1 : fetch all targets opportunistically, + # 0: fetch on demand, + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: yes + + # Harden against unseemly large queries. + # harden-large-queries: no + + # Harden against out of zone rrsets, to avoid spoofing attempts. + harden-glue: yes + + # Harden against receiving dnssec-stripped data. If you turn it + # off, failing to validate dnskey data for a trustanchor will + # trigger insecure mode for that zone (like without a trustanchor). + # Default on, which insists on dnssec data for trust-anchored zones. + harden-dnssec-stripped: yes + + # Harden against queries that fall under dnssec-signed nxdomain names. + harden-below-nxdomain: yes + + # Harden the referral path by performing additional queries for + # infrastructure data. Validates the replies (if possible). + # Default off, because the lookups burden the server. Experimental + # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. + harden-referral-path: yes + + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to A when possible. + qname-minimisation: yes + + # QNAME minimisation in strict mode. Do not fall-back to sending full + # QNAME to potentially broken nameservers. A lot of domains will not be + # resolvable when this option in enabled. + # This option only has effect when qname-minimisation is enabled. + # qname-minimisation-strict: no + + # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN + # and other denials, using information from previous NXDOMAINs answers. + aggressive-nsec: yes + + # Use 0x20-encoded random bits in the query to foil spoof attempts. + # This feature is an experimental implementation of draft dns-0x20. + # use-caps-for-id: no + + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-exempt: "licdn.com" + # caps-exempt: "senderbase.org" + + # Enforce privacy of these addresses. Strips them away from answers. + # It may cause DNSSEC validation to additionally mark it as bogus. + # Protects against 'DNS Rebinding' (uses browser as network proxy). + # Only 'private-domain' and 'local-data' names are allowed to have + # these private addresses. No default. + # private-address: 10.0.0.0/8 + # private-address: 172.16.0.0/12 + # private-address: 192.168.0.0/16 + # private-address: 169.254.0.0/16 + # private-address: fd00::/8 + # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 + + # Allow the domain (and its subdomains) to contain private addresses. + # local-data statements are allowed to contain private addresses too. + # private-domain: "example.com" + + # If nonzero, unwanted replies are not only reported in statistics, + # but also a running total is kept per thread. If it reaches the + # threshold, a warning is printed and a defensive action is taken, + # the cache is cleared to flush potential poison out of it. + # A suggested value is 10000000, the default is 0 (turned off). + unwanted-reply-threshold: 10000000 + + # Do not query the following addresses. No DNS queries are sent there. + # List one address per entry. List classless netblocks with /size, + # do-not-query-address: 127.0.0.1/8 + # do-not-query-address: ::1 + + # if yes, the above default do-not-query-address entries are present. + # if no, localhost can be queried (for testing and debugging). + # do-not-query-localhost: yes + + # if yes, perform prefetching of almost expired message cache entries. + prefetch: yes + + # if yes, perform key lookups adjacent to normal lookups. + prefetch-key: yes + + # deny queries of type ANY with an empty response. + deny-any: yes + + # if yes, Unbound rotates RRSet order in response. + rrset-roundrobin: yes + + # if yes, Unbound doesn't insert authority/additional sections + # into response messages when those sections are not required. + minimal-responses: yes + + # true to disable DNSSEC lameness check in iterator. + # disable-dnssec-lame-check: no + + # module configuration of the server. A string with identifiers + # separated by spaces. Syntax: "[dns64] [validator] iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + module-config: "ipsecmod validator iterator" + + # File with trusted keys, kept uptodate using RFC5011 probes, + # initial file like trust-anchor-file, then it stores metadata. + # Use several entries, one per domain name, to track multiple zones. + # + # If you want to perform DNSSEC validation, run unbound-anchor before + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). + # auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # trust anchor signaling sends a RFC8145 key tag query after priming. + trust-anchor-signaling: yes + + # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) + root-key-sentinel: yes + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. + # Zone file format, with DS and DNSKEY entries. + # Note this gets out of date, use auto-trust-anchor-file please. + # trust-anchor-file: "" + + # Trusted key for validation. DS or DNSKEY. specify the RR on a + # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. + # (These examples are from August 2007 and may not be valid anymore). + # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" + # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" + + # File with trusted keys for validation. Specify more than one file + # with several entries, one file per entry. Like trust-anchor-file + # but has a different file format. Format is BIND-9 style format, + # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. + # trusted-keys-file: "" + # + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + # Ignore chain of trust. Domain is treated as insecure. + # domain-insecure: "example.com" + + # Override the date for validation with a specific fixed date. + # Do not set this unless you are debugging signature inception + # and expiration. "" or "0" turns the feature off. -1 ignores date. + # val-override-date: "" + + # The time to live for bogus data, rrsets and messages. This avoids + # some of the revalidation, until the time interval expires. in secs. + # val-bogus-ttl: 60 + + # The signature inception and expiration dates are allowed to be off + # by 10% of the signature lifetime (expir-incep) from our local clock. + # This leeway is capped with a minimum and a maximum. In seconds. + # val-sig-skew-min: 3600 + # val-sig-skew-max: 86400 + + # Should additional section of secure message also be kept clean of + # unsecure data. Useful to shield the users of this validator from + # potential bogus data in the additional section. All unsigned data + # in the additional section is removed from secure messages. + val-clean-additional: yes + + # Turn permissive mode on to permit bogus messages. Thus, messages + # for which security checks failed will be returned to clients, + # instead of SERVFAIL. It still performs the security checks, which + # result in interesting log files and possibly the AD bit in + # replies if the message is found secure. The default is off. + # NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY + val-permissive-mode: no + + # Ignore the CD flag in incoming queries and refuse them bogus data. + # Enable it if the only clients of unbound are legacy servers (w2008) + # that set CD but cannot validate themselves. + # ignore-cd-flag: no + + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. + serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure + # that the expired records will be served as long as there are queries + # for it. + # serve-expired-ttl-reset: no + + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # RFC 8767 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 + + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no + + # Have the validator log failed validations for your diagnosis. + # 0: off. 1: A line per failed user query. 2: With reason and bad IP. + val-log-level: 1 + + # It is possible to configure NSEC3 maximum iteration counts per + # keysize. Keep this table very short, as linear search is done. + # A message with an NSEC3 with larger count is marked insecure. + # List in ascending order the keysize and count values. + # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + + # instruct the auto-trust-anchor-file probing to add anchors after ttl. + # add-holddown: 2592000 # 30 days + + # instruct the auto-trust-anchor-file probing to del anchors after ttl. + # del-holddown: 2592000 # 30 days + + # auto-trust-anchor-file probing removes missing anchors after ttl. + # If the value 0 is given, missing anchors are not removed. + # keep-missing: 31622400 # 366 days + + # debug option that allows very small holddown times for key rollover, + # otherwise the RFC mandates probe intervals must be at least 1 hour. + # permit-small-holddown: no + + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 + + # the amount of memory to use for the negative cache. + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m + + # By default, for a number of zones a small default 'nothing here' + # reply is built-in. Query traffic is thus blocked. If you + # wish to serve such zone you can unblock them by uncommenting one + # of the nodefault statements below. + # You may also have to use domain-insecure: zone to make DNSSEC work, + # unless you have your own trust anchors for this zone. + # local-zone: "localhost." nodefault + # local-zone: "127.in-addr.arpa." nodefault + # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "onion." nodefault + # local-zone: "test." nodefault + # local-zone: "invalid." nodefault + # local-zone: "10.in-addr.arpa." nodefault + # local-zone: "16.172.in-addr.arpa." nodefault + # local-zone: "17.172.in-addr.arpa." nodefault + # local-zone: "18.172.in-addr.arpa." nodefault + # local-zone: "19.172.in-addr.arpa." nodefault + # local-zone: "20.172.in-addr.arpa." nodefault + # local-zone: "21.172.in-addr.arpa." nodefault + # local-zone: "22.172.in-addr.arpa." nodefault + # local-zone: "23.172.in-addr.arpa." nodefault + # local-zone: "24.172.in-addr.arpa." nodefault + # local-zone: "25.172.in-addr.arpa." nodefault + # local-zone: "26.172.in-addr.arpa." nodefault + # local-zone: "27.172.in-addr.arpa." nodefault + # local-zone: "28.172.in-addr.arpa." nodefault + # local-zone: "29.172.in-addr.arpa." nodefault + # local-zone: "30.172.in-addr.arpa." nodefault + # local-zone: "31.172.in-addr.arpa." nodefault + # local-zone: "168.192.in-addr.arpa." nodefault + # local-zone: "0.in-addr.arpa." nodefault + # local-zone: "254.169.in-addr.arpa." nodefault + # local-zone: "2.0.192.in-addr.arpa." nodefault + # local-zone: "100.51.198.in-addr.arpa." nodefault + # local-zone: "113.0.203.in-addr.arpa." nodefault + # local-zone: "255.255.255.255.in-addr.arpa." nodefault + # local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "d.f.ip6.arpa." nodefault + # local-zone: "8.e.f.ip6.arpa." nodefault + # local-zone: "9.e.f.ip6.arpa." nodefault + # local-zone: "a.e.f.ip6.arpa." nodefault + # local-zone: "b.e.f.ip6.arpa." nodefault + # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault + # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + + # Add example.com into ipset + # local-zone: "example.com" ipset + + # If unbound is running service for the local host then it is useful + # to perform lan-wide lookups to the upstream, and unblock the + # long list of local-zones above. If this unbound is a dns server + # for a network of computers, disabled is better and stops information + # leakage of local lan information. + # unblock-lan-zones: no + + # The insecure-lan-zones option disables validation for + # these zones, as if they were all listed as domain-insecure. + # insecure-lan-zones: no + + # a number of locally served zones can be configured. + # local-zone: + # local-data: "" + # o deny serves local data (if any), else, drops queries. + # o refuse serves local data (if any), else, replies with error. + # o static serves local data, else, nxdomain or nodata answer. + # o transparent gives local data, but resolves normally for other names + # o redirect serves the zone data for any subdomain in the zone. + # o nodefault can be used to normally resolve AS112 zones. + # o typetransparent resolves normally for other types and other names + # o inform acts like transparent, but logs client IP address + # o inform_deny drops queries and logs client IP address + # o inform_redirect redirects queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. + # o noview breaks out of that view towards global local-zones. + # + # defaults are localhost address, reverse for 127.0.0.1 and ::1 + # and nxdomain for AS112 zones. If you configure one of these zones + # the default content is omitted, or you can omit it with 'nodefault'. + # + # If you configure local-data without specifying local-zone, by + # default a transparent local-zone is created for the data. + # + # You can add locally served data with + # local-zone: "local." static + # local-data: "mycomputer.local. IN A 192.0.2.51" + # local-data: 'mytext.local TXT "content of text record"' + # + # You can override certain queries with + # local-data: "adserver.example.com A 127.0.0.1" + # + # You can redirect a domain to a fixed address with + # (this makes example.com, www.example.com, etc, all go to 192.0.2.3) + # local-zone: "example.com" redirect + # local-data: "example.com A 192.0.2.3" + # + # Shorthand to make PTR records, "IPv4 name" or "IPv6 name". + # You can also add PTR records using local-data directly, but then + # you need to do the reverse notation yourself. + # local-data-ptr: "192.0.2.3 www.example.com" + + include: /etc/unbound/local.d/*.conf + + # tag a localzone with a list of tag names (in "" with spaces between) + # local-zone-tag: "example.com" "tag2 tag3" + + # add a netblock specific override to a localzone, with zone type + # local-zone-override: "example.com" 192.0.2.0/24 refuse + + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. + # default is "" (disabled). requires restart to take effect. + # tls-service-key: "/etc/unbound/unbound_server.key" + # tls-service-pem: "/etc/unbound/unbound_server.pem" + # tls-port: 853 + # https-port: 443 + + # cipher setting for TLSv1.2 + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + + # Add the secret file for TLS Session Ticket. + # Secret file must be 80 bytes of random data. + # First key use to encrypt and decrypt TLS session tickets. + # Other keys use to decrypt only. + # requires restart to take effect. + # tls-session-ticket-keys: "path/to/secret_file1" + # tls-session-ticket-keys: "path/to/secret_file2" + + # request upstream over TLS (with plain DNS inside the TLS stream). + # Default is no. Can be turned on and off with unbound-control. + # tls-upstream: no + + # Certificates used to authenticate connections made upstream. + # tls-cert-bundle: "" + + # Add system certs to the cert bundle, from the Windows Cert Store + # tls-win-cert: no + + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 + + # Also serve tls on these port numbers (eg. 443, ...), by listing + # tls-additional-port: portno for each of the port numbers. + + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + + # Disable TLS for DNS-over-HTTP downstream service. + # http-notls-downstream: no + + # DNS64 prefix. Must be specified when DNS64 is use. + # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. + # dns64-prefix: 64:ff9b::0/96 + + # DNS64 ignore AAAA records for these domains and use A instead. + # dns64-ignore-aaaa: "example.com" + + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: com 1000 + + # global query ratelimit for all ip addresses. + # feature is experimental. + # if 0(default) it is disabled, otherwise states qps allowed per ip address + # ip-ratelimit: 0 + + # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ip-ratelimit-size: 4m + # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ip-ratelimit-slabs: 4 + + # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through + # ip-ratelimit-factor: 10 + + # Limit the number of connections simultaneous from a netblock + # tcp-connection-limit: 192.0.2.0/24 12 + + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + + # Specific options for ipsecmod. unbound needs to be configured with + # --enable-ipsecmod for these to take effect. + # + # Enable or disable ipsecmod (it still needs to be defined in + # module-config above). Can be used when ipsecmod needs to be + # enabled/disabled via remote-control(below). + # Fedora: module will be enabled on-demand by libreswan + ipsecmod-enabled: no + + # Path to executable external hook. It must be defined when ipsecmod is + # listed in module-config (above). + # ipsecmod-hook: "./my_executable" + ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook + + # When enabled unbound will reply with SERVFAIL if the return value of + # the ipsecmod-hook is not 0. + # ipsecmod-strict: no + # + # Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY. + # ipsecmod-max-ttl: 3600 + # + # Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for + # testing. + # ipsecmod-ignore-bogus: no + # + # Domains for which ipsecmod will be triggered. If not defined (default) + # all domains are treated as being allowed. + # ipsecmod-allow: "example.com" + # ipsecmod-allow: "nlnetlabs.nl" + +# Python config section. To enable: +# o use --with-pythonmodule to configure before compiling. +# o list python in the module-config string (above) to enable. +# It can be at the start, it gets validated results, or just before +# the iterator and process before DNSSEC validation. +# o and give a python-script to run. +python: + # Script file to load + # python-script: "/etc/unbound/ubmodule-tst.py" + +# Remote control config section. +remote-control: + # Enable remote control with unbound-control(8) here. + # set up the keys and certificates with unbound-control-setup. + # Note: required for unbound-munin package + control-enable: yes + + # Set to no and use an absolute path as control-interface to use + # a unix local named pipe for unbound-control. + # control-use-cert: yes + + # what interfaces are listened to for remote control. + # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. + # control-interface: 127.0.0.1 + # control-interface: ::1 + + # port number for remote control operations. + # control-port: 8953 + + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "no" + + # unbound server key file. + server-key-file: "/etc/unbound/unbound_server.key" + + # unbound server certificate file. + server-cert-file: "/etc/unbound/unbound_server.pem" + + # unbound-control key file. + control-key-file: "/etc/unbound/unbound_control.key" + + # unbound-control certificate file. + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Stub and Forward zones +include: /etc/unbound/conf.d/*.conf + +# Stub zones. +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of nameservers. list zero or more +# nameservers by hostname or by ipaddress. If you set stub-prime to yes, +# the list is treated as priming hints (default is no). +# With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. +# stub-zone: +# name: "example.com" +# stub-addr: 192.0.2.68 +# stub-prime: no +# stub-first: no +# stub-tls-upstream: no +# stub-no-cache: no +# stub-zone: +# name: "example.org" +# stub-host: ns.example.com. + +# You can now also dynamically create and delete stub-zone's using +# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8 + +# Forward zones +# Create entries like below, to make all queries for 'example.com' and +# 'example.org' go to the given list of servers. These servers have to handle +# recursion to other nameservers. List zero or more nameservers by hostname +# or by ipaddress. Use an entry with name "." to forward all queries. +# If you enable forward-first, it attempts without the forward if it fails. +# forward-zone: +# name: "example.com" +# forward-addr: 192.0.2.68 +# forward-addr: 192.0.2.73@5355 # forward to port 5355. +# forward-first: no +# forward-tls-upstream: no +# forward-no-cache: no +# forward-zone: +# name: "example.org" +# forward-host: fwd.example.com +# +# You can now also dynamically create and delete forward-zone's using +# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8 +# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8 + +# Authority zones +# The data for these zones is kept locally, from a file or downloaded. +# The data can be served to downstream clients, or used instead of the +# upstream (which saves a lookup to the upstream). The first example +# has a copy of the root for local usage. The second serves example.org +# authoritatively. zonefile: reads from file (and writes to it if you also +# download it), master: fetches with AXFR and IXFR, or url to zonefile. +# With allow-notify: you can give additional (apart from masters) sources of +# notifies. +auth-zone: + name: "." + for-downstream: no + for-upstream: yes + fallback-enabled: yes + master: 199.9.14.201 # b.root-servers.net + master: 192.33.4.12 # c.root-servers.net + master: 199.7.91.13 # d.root-servers.net + master: 192.5.5.241 # f.root-servers.net + master: 192.112.36.4 # g.root-servers.net + master: 193.0.14.129 # k.root-servers.net + master: 192.0.47.132 # xfr.cjr.dns.icann.org + master: 192.0.32.132 # xfr.lax.dns.icann.org + master: 2001:500:200::b # b.root-servers.net + master: 2001:500:2::c # c.root-servers.net + master: 2001:500:2d::d # d.root-servers.net + master: 2001:500:2f::f # f.root-servers.net + master: 2001:500:12::d0d # g.root-servers.net + master: 2001:7fd::1 # k.root-servers.net + master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org +# auth-zone: +# name: "example.org" +# for-downstream: yes +# for-upstream: yes +# zonefile: "example.org.zone" + +# Views +# Create named views. Name must be unique. Map views to requests using +# the access-control-view option. Views can contain zero or more local-zone +# and local-data options. Options from matching views will override global +# options. Global options will be used if no matching view is found. +# With view-first yes, it will try to answer using the global local-zone and +# local-data elements if there is no view specific match. +# view: +# name: "viewname" +# local-zone: "example.com" redirect +# local-data: "example.com A 192.0.2.3" +# local-data-ptr: "192.0.2.3 www.example.com" +# view-first: no +# view: +# name: "anotherview" +# local-zone: "example.com" refuse + +# Fedora: DNSCrypt support not enabled since it requires linking to +# another crypto library +# +# DNSCrypt +# Caveats: +# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage +# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to +# listen on `dnscrypt-port` with the follo0wing snippet: +# server: +# interface: 0.0.0.0@443 +# interface: ::0@443 +# +# Finally, `dnscrypt` config has its own section. +# dnscrypt: +# dnscrypt-enable: yes +# dnscrypt-port: 443 +# dnscrypt-provider: 2.dnscrypt-cert.example.com. +# dnscrypt-secret-key: /path/unbound-conf/keys1/1.key +# dnscrypt-secret-key: /path/unbound-conf/keys2/1.key +# dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert +# dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert + +# CacheDB +# Enable external backend DB as auxiliary cache. Specify the backend name +# (default is "testframe", which has no use other than for debugging and +# testing) and backend-specific options. The 'cachedb' module must be +# included in module-config, just before the iterator module. +# cachedb: +# backend: "testframe" +# # secret seed string to calculate hashed keys +# secret-seed: "default" +# +# # For "redis" backend: +# # redis server's IP address or host name +# redis-server-host: 127.0.0.1 +# # redis server's TCP port +# redis-server-port: 6379 +# # timeout (in ms) for communication with the redis server +# redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no + +# IPSet +# Add specify domain into set via ipset. +# Note: To enable ipset unbound needs to run as root user. +# ipset: +# # set name for ip v4 addresses +# name-v4: "list-v4" +# # set name for ip v6 addresses +# name-v6: "list-v6" +# + +# Dnstap logging support, if compiled in. To enable, set the dnstap-enable +# to yes and also some of dnstap-log-..-messages to yes. And select an +# upstream log destination, by socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "/etc/unbound/dnstap.sock" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress[@port]" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME and Response IP +# Address trigger are the only supported triggers. Supported actions are: +# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from +# file, using zone transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# primary: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# tags: "example" diff --git a/SOURCES/unbound.munin b/SOURCES/unbound.munin new file mode 100644 index 0000000..9056575 --- /dev/null +++ b/SOURCES/unbound.munin @@ -0,0 +1,11 @@ +# +# For this plugin to work, unbound.conf needs to have: +# remote-control: control-enable: yes +# +[unbound*] +user root +env.statefile /var/lib/munin/plugin-state/unbound-state +env.unbound_conf /etc/unbound/unbound.conf +env.unbound_control /usr/sbin/unbound-control +env.spoof_warn 1000 +env.spoof_crit 100000 diff --git a/SOURCES/unbound.service b/SOURCES/unbound.service new file mode 100644 index 0000000..49dc7bd --- /dev/null +++ b/SOURCES/unbound.service @@ -0,0 +1,19 @@ +[Unit] +Description=Unbound recursive Domain Name Server +After=network.target +After=unbound-keygen.service +Wants=unbound-keygen.service +Wants=unbound-anchor.timer +Before=nss-lookup.target +Wants=nss-lookup.target + +[Service] +Type=simple +EnvironmentFile=-/etc/sysconfig/unbound +ExecStartPre=/usr/sbin/unbound-checkconf +ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ]; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' +ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS +ExecReload=/usr/sbin/unbound-control reload + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/unbound.sysconfig b/SOURCES/unbound.sysconfig new file mode 100644 index 0000000..fae3306 --- /dev/null +++ b/SOURCES/unbound.sysconfig @@ -0,0 +1,3 @@ +# for extra debug, add "-v -v" or change verbosity: in unbound.conf + +UNBOUND_OPTIONS="" diff --git a/SOURCES/unbound_munin_ b/SOURCES/unbound_munin_ new file mode 100644 index 0000000..779532d --- /dev/null +++ b/SOURCES/unbound_munin_ @@ -0,0 +1,553 @@ +#!/bin/sh +# +# plugin for munin to monitor usage of unbound servers. +# +# (C) 2008 W.C.A. Wijngaards. BSD Licensed. +# +# To install; enable statistics and unbound-control in unbound.conf +# server: extended-statistics: yes +# statistics-cumulative: no +# statistics-interval: 0 +# remote-control: control-enable: yes +# Run the command unbound-control-setup to generate the key files. +# +# Environment variables for this script +# statefile - where to put temporary statefile. +# unbound_conf - where the unbound.conf file is located. +# unbound_control - where to find unbound-control executable. +# spoof_warn - what level to warn about spoofing +# spoof_crit - what level to crit about spoofing +# +# You can set them in your munin/plugin-conf.d/plugins.conf file +# with: +# [unbound*] +# user root +# env.statefile /usr/local/var/munin/plugin-state/unbound-state +# env.unbound_conf /usr/local/etc/unbound/unbound.conf +# env.unbound_control /usr/local/sbin/unbound-control +# env.spoof_warn 1000 +# env.spoof_crit 100000 +# +# This plugin can create different graphs depending on what name +# you link it as (with ln -s) into the plugins directory +# You can link it multiple times. +# If you are only a casual user, the _hits and _by_type are most interesting, +# possibly followed by _by_rcode. +# +# unbound_munin_hits - base volume, cache hits, unwanted traffic +# unbound_munin_queue - to monitor the internal requestlist +# unbound_munin_memory - memory usage +# unbound_munin_by_type - incoming queries by type +# unbound_munin_by_class - incoming queries by class +# unbound_munin_by_opcode - incoming queries by opcode +# unbound_munin_by_rcode - answers by rcode, validation status +# unbound_munin_by_flags - incoming queries by flags +# unbound_munin_histogram - histogram of query resolving times +# +# Magic markers - optional - used by installation scripts and +# munin-config: +# +#%# family=contrib +#%# capabilities=autoconf suggest + +# POD documentation +: <<=cut +=head1 NAME + +unbound_munin_ - Munin plugin to monitor the Unbound DNS resolver. + +=head1 APPLICABLE SYSTEMS + +System with unbound daemon. + +=head1 CONFIGURATION + + [unbound*] + user root + env.statefile /var/lib/munin/plugin-state/unbound-state + env.unbound_conf /etc/unbound/unbound.conf + env.unbound_control /usr/sbin/unbound-control + env.spoof_warn 1000 + env.spoof_crit 100000 + +Use the .env settings to override the defaults. + +=head1 USAGE + +Can be used to present different graphs. Use ln -s for that name in +the plugins directory to enable the graph. +unbound_munin_hits - base volume, cache hits, unwanted traffic +unbound_munin_queue - to monitor the internal requestlist +unbound_munin_memory - memory usage +unbound_munin_by_type - incoming queries by type +unbound_munin_by_class - incoming queries by class +unbound_munin_by_opcode - incoming queries by opcode +unbound_munin_by_rcode - answers by rcode, validation status +unbound_munin_by_flags - incoming queries by flags +unbound_munin_histogram - histogram of query resolving times + +=head1 AUTHOR + +Copyright 2008 W.C.A. Wijngaards + +=head1 LICENSE + +BSD + +=cut + +state=${statefile:-/var/lib/munin/plugin-state/unbound-state} +conf=${unbound_conf:-/etc/unbound/unbound.conf} +ctrl=${unbound_control:-/usr/sbin/unbound-control} +warn=${spoof_warn:-1000} +crit=${spoof_crit:-100000} +lock=$state.lock + +# number of seconds between polling attempts. +# makes the statefile hang around for at least this many seconds, +# so that multiple links of this script can share the results. +lee=55 + +# to keep things within 19 characters +ABBREV="-e s/total/t/ -e s/thread/t/ -e s/num/n/ -e s/query/q/ -e s/answer/a/ -e s/unwanted/u/ -e s/requestlist/ql/ -e s/type/t/ -e s/class/c/ -e s/opcode/o/ -e s/rcode/r/ -e s/edns/e/ -e s/mem/m/ -e s/cache/c/ -e s/mod/m/" + +# get value from $1 into return variable $value +get_value ( ) { + value="`grep '^'$1'=' $state | sed -e 's/^.*=//'`" + if test "$value"x = ""x; then + value="0" + fi +} + +# download the state from the unbound server. +get_state ( ) { + # obtain lock for fetching the state + # because there is a race condition in fetching and writing to file + + # see if the lock is stale, if so, take it + if test -f $lock ; then + pid="`cat $lock 2>&1`" + kill -0 "$pid" >/dev/null 2>&1 + if test $? -ne 0 -a "$pid" != $$ ; then + echo $$ >$lock + fi + fi + + i=0 + while test ! -f $lock || test "`cat $lock 2>&1`" != $$; do + while test -f $lock; do + # wait + i=`expr $i + 1` + if test $i -gt 1000; then + sleep 1; + fi + if test $i -gt 1500; then + echo "error locking $lock" "=" `cat $lock` + rm -f $lock + exit 1 + fi + done + # try to get it + echo $$ >$lock + done + # do not refetch if the file exists and only LEE seconds old + if test -f $state; then + now=`date +%s` + get_value "time.now" + value="`echo $value | sed -e 's/\..*$//'`" + if test $now -lt `expr $value + $lee`; then + rm -f $lock + return + fi + fi + $ctrl -c $conf stats > $state + if test $? -ne 0; then + echo "error retrieving data from unbound server" + rm -f $lock + exit 1 + fi + rm -f $lock +} + +if test "$1" = "autoconf" ; then + if test ! -f $conf; then + echo no "($conf does not exist)" + exit 1 + fi + if test ! -d `dirname $state`; then + echo no "($state directory does not exist)" + exit 1 + fi + echo yes + exit 0 +fi + +if test "$1" = "suggest" ; then + echo "hits" + echo "queue" + echo "memory" + echo "by_type" + echo "by_class" + echo "by_opcode" + echo "by_rcode" + echo "by_flags" + echo "histogram" + exit 0 +fi + +# determine my type, by name +id=`echo $0 | sed -e 's/^.*unbound_munin_//'` +if test "$id"x = ""x; then + # some default to keep people sane. + id="hits" +fi + +# if $1 exists in statefile, config is echoed with label $2 +exist_config ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + if grep '^'$1'=' $state >/dev/null 2>&1; then + echo "$mn.label $2" + echo "$mn.min 0" + fi +} + +# print label and min 0 for a name $1 in unbound format +p_config ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + echo $mn.label "$2" + echo $mn.min 0 +} + +if test "$1" = "config" ; then + if test ! -f $state; then + get_state + fi + case $id in + hits) + echo "graph_title Unbound DNS traffic and cache hits" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in thread0.num.queries thread1.num.queries \ + thread2.num.queries thread3.num.queries thread4.num.queries \ + thread5.num.queries thread6.num.queries thread7.num.queries; do + exist_config $x "queries handled by `basename $x .num.queries`" + done + p_config "total.num.queries" "total queries from clients" + p_config "total.num.cachehits" "cache hits" + p_config "total.num.prefetch" "cache prefetch" + p_config "num.query.tcp" "TCP queries" + p_config "num.query.ipv6" "IPv6 queries" + p_config "unwanted.queries" "queries that failed acl" + p_config "unwanted.replies" "unwanted or unsolicited replies" + echo "u_replies.warning $warn" + echo "u_replies.critical $crit" + echo "graph_info DNS queries to the recursive resolver. The unwanted replies could be innocent duplicate packets, late replies, or spoof threats." + ;; + queue) + echo "graph_title Unbound requestlist size" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel number of queries" + echo "graph_category DNS" + p_config "total.requestlist.avg" "Average size of queue on insert" + p_config "total.requestlist.max" "Max size of queue (in 5 min)" + p_config "total.requestlist.overwritten" "Number of queries replaced by new ones" + p_config "total.requestlist.exceeded" "Number of queries dropped due to lack of space" + echo "graph_info The queries that did not hit the cache and need recursion service take up space in the requestlist. If there are too many queries, first queries get overwritten, and at last resort dropped." + ;; + memory) + echo "graph_title Unbound memory usage" + echo "graph_args --base 1024 -l 0" + echo "graph_vlabel memory used in bytes" + echo "graph_category DNS" + p_config "mem.total.sbrk" "Total memory" + p_config "mem.cache.rrset" "RRset cache memory" + p_config "mem.cache.message" "Message cache memory" + p_config "mem.mod.iterator" "Iterator module memory" + p_config "mem.mod.validator" "Validator module and key cache memory" + echo "graph_info The memory used by unbound." + ;; + by_type) + echo "graph_title Unbound DNS queries by type" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.type" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.type.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by DNS RR type queried for" + ;; + by_class) + echo "graph_title Unbound DNS queries by class" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.class" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.class.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by DNS RR class queried for." + ;; + by_opcode) + echo "graph_title Unbound DNS queries by opcode" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + for x in `grep "^num.query.opcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.query.opcode.//` + p_config "$nm" "$tp" + done + echo "graph_info queries by opcode in the query packet." + ;; + by_rcode) + echo "graph_title Unbound DNS answers by return code" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel answer packets / second" + echo "graph_category DNS" + for x in `grep "^num.answer.rcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + tp=`echo $nm | sed -e s/num.answer.rcode.//` + p_config "$nm" "$tp" + done + p_config "num.answer.secure" "answer secure" + p_config "num.answer.bogus" "answer bogus" + p_config "num.rrset.bogus" "num rrsets marked bogus" + echo "graph_info answers sorted by return value. rrsets bogus is the number of rrsets marked bogus per second by the validator" + ;; + by_flags) + echo "graph_title Unbound DNS incoming queries by flags" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + p_config "num.query.flags.QR" "QR (query reply) flag" + p_config "num.query.flags.AA" "AA (auth answer) flag" + p_config "num.query.flags.TC" "TC (truncated) flag" + p_config "num.query.flags.RD" "RD (recursion desired) flag" + p_config "num.query.flags.RA" "RA (rec avail) flag" + p_config "num.query.flags.Z" "Z (zero) flag" + p_config "num.query.flags.AD" "AD (auth data) flag" + p_config "num.query.flags.CD" "CD (check disabled) flag" + p_config "num.query.edns.present" "EDNS OPT present" + p_config "num.query.edns.DO" "DO (DNSSEC OK) flag" + echo "graph_info This graphs plots the flags inside incoming queries. For example, if QR, AA, TC, RA, Z flags are set, the query can be rejected. RD, AD, CD and DO are legitimately set by some software." + ;; + histogram) + echo "graph_title Unbound DNS histogram of reply time" + echo "graph_args --base 1000 -l 0" + echo "graph_vlabel queries / second" + echo "graph_category DNS" + echo hcache.label "cache hits" + echo hcache.min 0 + echo hcache.draw AREA + echo hcache.colour 999999 + echo h64ms.label "0 msec - 66 msec" + echo h64ms.min 0 + echo h64ms.draw STACK + echo h64ms.colour 0000FF + echo h128ms.label "66 msec - 131 msec" + echo h128ms.min 0 + echo h128ms.colour 1F00DF + echo h128ms.draw STACK + echo h256ms.label "131 msec - 262 msec" + echo h256ms.min 0 + echo h256ms.draw STACK + echo h256ms.colour 3F00BF + echo h512ms.label "262 msec - 524 msec" + echo h512ms.min 0 + echo h512ms.draw STACK + echo h512ms.colour 5F009F + echo h1s.label "524 msec - 1 sec" + echo h1s.min 0 + echo h1s.draw STACK + echo h1s.colour 7F007F + echo h2s.label "1 sec - 2 sec" + echo h2s.min 0 + echo h2s.draw STACK + echo h2s.colour 9F005F + echo h4s.label "2 sec - 4 sec" + echo h4s.min 0 + echo h4s.draw STACK + echo h4s.colour BF003F + echo h8s.label "4 sec - 8 sec" + echo h8s.min 0 + echo h8s.draw STACK + echo h8s.colour DF001F + echo h16s.label "8 sec - ..." + echo h16s.min 0 + echo h16s.draw STACK + echo h16s.colour FF0000 + echo "graph_info Histogram of the reply times for queries." + ;; + esac + + exit 0 +fi + +# do the stats itself +get_state + +# get the time elapsed +get_value "time.elapsed" +if test $value = 0 || test $value = "0.000000"; then + echo "error: time elapsed 0 or could not retrieve data" + exit 1 +fi +elapsed="$value" + +# print value for $1 / elapsed +print_qps ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + get_value $1 + echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` +} + +# print qps if line already found in $2 +print_qps_line ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + value="`echo $2 | sed -e 's/^.*=//'`" + echo "$mn.value" `echo scale=6';' $value / $elapsed | bc ` +} + +# print value for $1 +print_value ( ) { + mn=`echo $1 | sed $ABBREV | tr . _` + get_value $1 + echo "$mn.value" $value +} + +case $id in +hits) + for x in thread0.num.queries thread1.num.queries thread2.num.queries \ + thread3.num.queries thread4.num.queries thread5.num.queries \ + thread6.num.queries thread7.num.queries total.num.queries \ + total.num.cachehits total.num.prefetch num.query.tcp \ + num.query.ipv6 unwanted.queries unwanted.replies; do + if grep "^"$x"=" $state >/dev/null 2>&1; then + print_qps $x + fi + done + ;; +queue) + for x in total.requestlist.avg total.requestlist.max \ + total.requestlist.overwritten total.requestlist.exceeded; do + print_value $x + done + ;; +memory) + mn=`echo mem.total.sbrk | sed $ABBREV | tr . _` + get_value 'mem.total.sbrk' + if test $value -eq 0; then + chk=`echo $ctrl | sed -e 's/-control$/-checkconf/'` + pidf=`$chk -o pidfile $conf 2>&1` + pid=`cat $pidf 2>&1` + value=`ps -p "$pid" -o rss= 2>&1` + if test "`expr $value + 1 - 1 2>&1`" -eq "$value" 2>&1; then + value=`expr $value \* 1024` + else + value=0 + fi + fi + echo "$mn.value" $value + for x in mem.cache.rrset mem.cache.message \ + mem.mod.iterator mem.mod.validator; do + print_value $x + done + ;; +by_type) + for x in `grep "^num.query.type" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_class) + for x in `grep "^num.query.class" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_opcode) + for x in `grep "^num.query.opcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + ;; +by_rcode) + for x in `grep "^num.answer.rcode" $state`; do + nm=`echo $x | sed -e 's/=.*$//'` + print_qps_line $nm $x + done + print_qps "num.answer.secure" + print_qps "num.answer.bogus" + print_qps "num.rrset.bogus" + ;; +by_flags) + for x in num.query.flags.QR num.query.flags.AA num.query.flags.TC num.query.flags.RD num.query.flags.RA num.query.flags.Z num.query.flags.AD num.query.flags.CD num.query.edns.present num.query.edns.DO; do + print_qps $x + done + ;; +histogram) + get_value total.num.cachehits + echo hcache.value `echo scale=6';' $value / $elapsed | bc ` + r=0 + for x in histogram.000000.000000.to.000000.000001 \ + histogram.000000.000001.to.000000.000002 \ + histogram.000000.000002.to.000000.000004 \ + histogram.000000.000004.to.000000.000008 \ + histogram.000000.000008.to.000000.000016 \ + histogram.000000.000016.to.000000.000032 \ + histogram.000000.000032.to.000000.000064 \ + histogram.000000.000064.to.000000.000128 \ + histogram.000000.000128.to.000000.000256 \ + histogram.000000.000256.to.000000.000512 \ + histogram.000000.000512.to.000000.001024 \ + histogram.000000.001024.to.000000.002048 \ + histogram.000000.002048.to.000000.004096 \ + histogram.000000.004096.to.000000.008192 \ + histogram.000000.008192.to.000000.016384 \ + histogram.000000.016384.to.000000.032768 \ + histogram.000000.032768.to.000000.065536; do + get_value $x + r=`expr $r + $value` + done + echo h64ms.value `echo scale=6';' $r / $elapsed | bc ` + get_value histogram.000000.065536.to.000000.131072 + echo h128ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.131072.to.000000.262144 + echo h256ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.262144.to.000000.524288 + echo h512ms.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000000.524288.to.000001.000000 + echo h1s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000001.000000.to.000002.000000 + echo h2s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000002.000000.to.000004.000000 + echo h4s.value `echo scale=6';' $value / $elapsed | bc ` + get_value histogram.000004.000000.to.000008.000000 + echo h8s.value `echo scale=6';' $value / $elapsed | bc ` + r=0 + for x in histogram.000008.000000.to.000016.000000 \ + histogram.000016.000000.to.000032.000000 \ + histogram.000032.000000.to.000064.000000 \ + histogram.000064.000000.to.000128.000000 \ + histogram.000128.000000.to.000256.000000 \ + histogram.000256.000000.to.000512.000000 \ + histogram.000512.000000.to.001024.000000 \ + histogram.001024.000000.to.002048.000000 \ + histogram.002048.000000.to.004096.000000 \ + histogram.004096.000000.to.008192.000000 \ + histogram.008192.000000.to.016384.000000 \ + histogram.016384.000000.to.032768.000000 \ + histogram.032768.000000.to.065536.000000 \ + histogram.065536.000000.to.131072.000000 \ + histogram.131072.000000.to.262144.000000 \ + histogram.262144.000000.to.524288.000000; do + get_value $x + r=`expr $r + $value` + done + echo h16s.value `echo scale=6';' $r / $elapsed | bc ` + ;; +esac diff --git a/SOURCES/wouter.nlnetlabs.nl.key b/SOURCES/wouter.nlnetlabs.nl.key new file mode 100644 index 0000000..f932293 --- /dev/null +++ b/SOURCES/wouter.nlnetlabs.nl.key @@ -0,0 +1,212 @@ + + + + +Public Key Server -- Get "0x9f6f1c2d7e045f8d " + +

Public Key Server -- Get "0x9f6f1c2d7e045f8d "

+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: sks.pod02.fleetstreetops.com
+
+mQINBE2v/RwBEACyQpJlpCeSZBV1QUH7jNEp5xGdo6OnX2h9XoZ4ZPsb+u6OT+xESH45ncnI
+SUh8rPCygbeWOoPR/yOBzh+lYoGxQ5iUHtwRrhHq04sQe/qFpXDO2xs61pTcPU2PnH7Rsr2q
+p6fZLPHuXLolD7NJfaSib8sVeMM0/ecyl/L2bBg9NpaGDX0xTQh95M8o6AFo6UKWApBpgsvE
+Zr2aH/B8b9KnCWFhfJyheEM7DamksdZNsKxXQyq3l/ROfdsMLZGF8vPbYV/v11G4keyaLpn8
+AbBpybIiw9SYDwf2ENk3+e1NFfMaiiyEqn9+aaLTKCY87TMUuoN3s3jWOOy5tHXzf6DbKhub
+4Awsby3DH5YpPhi4N2vj2pAXVpl5+m78cH29JLzT+HAoyZ4tq1r3m0P5QogNqYwqxkKWYOjD
+ilNDBiKiDdgtrLYGx+ABovKG/FvToJoaCL4AFaVCzWmL2uHkSgyBN0FPHatCB1UeEkcQit6T
+8E2NQqmFWjUMXSWHHajSMG95+L5PdLHz/Ku0o3Csvlt2pkElYZmzJBfnOM9JevdsmKr/ruJC
+/DCZAn5w2S/9ZF5qfo2F9HUKIwE/dChR29HcN8V4nqZs9oCvEMfFhHmrfwDc5hedhvb6mAkv
+SFFtKIrygLIVeWRj3FE9sGp6sr4VwOLYTFRNk7mAsWD1rZApeQARAQABtCdXLkMuQS4gV2lq
+bmdhYXJkcyA8d291dGVyQG5sbmV0bGFicy5ubD6IRgQQEQIABgUCThRSKQAKCRD5yv3rOc/E
+3iiwAJ0SIjqFSwBm7sEZf2nn4JhkWKoG0gCfTD0g9RhtJFZa+0rdtMGUpYtDA1aIRgQQEQIA
+BgUCT/FYZQAKCRDidkIqx06dxeI6AJ9JZvcA78yRPDAMS+TklrNhFbEixgCgwiltuquOD4Qw
+vTS+NZr1ECUit8+IRgQTEQIABgUCTa///wAKCRCQMuo3A6Gk+Ot2AKCi4IvI/AT2kSzy0pWH
+Zfrpl93zlACZAaBqkUKcA1jxk8HtqDYtuCRhSfiIRgQTEQIABgUCTb7dfwAKCRCL5TxDRLCU
+K/4yAJ9Zgx/YRiu/X+KLDTQoYXTxNNbCHACfcBLrfl5uABiyOzBC+/R5rXnoRaqIRgQTEQIA
+BgUCV+zVuQAKCRAjc9NHiaFq+OY4AKC6GV6dlBdvo4bEaJpWPHh9WShqIwCgjJi+haVoUR52
+ovPF0zsXx6/um+GITAQTEQIADAUCTbAJsgWDCWX06gAKCRC039xrdgkihyx4AJ9iuMMszOpC
+jRYkVjTgmDyVmAA5uACg7qmMbKb03FbTFdd5VG5/6RTiPtSJARwEEAECAAYFAlTvL9UACgkQ
+lumWUDlMmaxLZgf/WeQK3FqemgsgcNCfkPuE9XpSdyJhQ+n1Yb6tAK4osry7H3lFBQIKTpmX
+SxauZDazYt6G4BYWsA0ARBwZVOaEaIbFRHFWs3/SLynNf9ZGBw8FumIMlEw3+tUdZck6u7pU
+q1OFeL1HWRLEC/njyLe7zAFHHWwMUIL9ZAZGiknADbqiiyF/JTcv4cpfNhdRAFzRriUJ2zYf
+0r6vKnf8pjc9QfDricAq/WzfANycfaSqx5GEBokxZY3lq/oLe4dGpZmrGecvBMtmTRHAG0Ln
+sNwXVujej3sU0vfhkZ1A0lnKoZCOTwGTPkL3dkOwbUdoYiYakTjM8NKav/TxNDxdaG/QbYkB
+HAQQAQgABgUCVnyBkgAKCRAIbcKm1AudBFrsB/9oKXW7oiQ7eJJ036fsfM5UODQGoXc1XO0R
+TEV/8pBRSDhqOVwRUsPqgtU6p2UWJbwxgB7MmPt3Z4cXs+ff1jkTzn/iefMyB7W6NogotrTt
+Nlj8x30Y9dVJB4KSHnQW2Gsf/OmZM9cDBAuyK3j3yLWkn65FRKVoH/4sYil1Tm/ogEC8vdvX
+RpwsCaZG8HOLDphjjU0JErE1jWk2L+P0TeGCmbrsfhORxTaCROjvcJ0fQsdX7kcA262iRrU0
+xDlBBYZA9wyGfd4wf+zIt7LcVBjNNvIUdUC3Uf0prYJawaG2/YV6R7eY4ooJxTutadugLmZp
+fBRiITflLZssO3YAW9RxiQEcBBMBCgAGBQJU7y/ZAAoJEMFDUWYtzEe6MyQIALSGlZ4X0LJw
+6zNoHGVxC0P911NBtDRO2/Hfg38UMT8KjQ1jOynm1KZm67viNOVGRGWar23PNppofpViZSlQ
+xUXUyLXVajcV9klg7RV7GC/3P2dvrCjELHXJ6w8qrcUKDighjbdctHXiQ9W5nU1IWPTLdg+z
+cvTbSVybvLwcbu5kzUzlYvesetJjSWnU9PXswed2cN9sqN3ikrWlYv4qHp6RwrLBN/VjZQov
+AxXN68PHxLz8GNxZTO9Aa4j4CheejXPVHDhqqw/K0XI86hnvZX7kwy4KBq/o4Kl+fstaOM6T
+571D2fljTVztmsKZBhiuKm1t8/Ltoifch+bpFx5AZkaJAhwEEAECAAYFAk2+3aIACgkQi0GC
+sRlrLScyHw//accdcVbHGYLwS0imk5SMEJX2bdu87uXqseeMU5OhnYip4ySQ727VihGYkhmL
+c/o1dIEznvFudWc/fMEi0x3R5J53Qbt3XQEUjOgZUoeomQJCItoJsDRoItvgdUvj3o6hVWhu
++8PL6oC2J/JAHvfsMKiaTBHrUcNdgovLPGo5bcZCJwOxqPLYPLW2fCkanY9EhbyVAsFIiuH4
++8tSDnqrgZFATyDqhqAYP96CanJrSalB6l/2r10q3V/OxcyCwys5w54FExhQAhpwThpbpFcK
+kBrM647ak7x8dZha4C/RltwkFn6jFp2sNUSEa0USTOTyDw7WkqgZZOWvauQ+fKgSOJwWU+MR
+cs11bNEGtwBu+wPheeyAlITu7A9PIrMZTmmJKy124I7ZvfXF3NZrHVm2KanLaWqHrso8tYg4
+9C7ptSCEZlgLHaeOl1wOOLbH6OneB3mQqf2u0elWYv64sbEqmFwd0C4rFeT7VSFSDLc1AsZB
+zc4WveDPnjzMXE2KLIwP+/x+betpntuYKYzYov0fryS79fjwu5JGh0gfEDITSta+tPRAYqKf
+mCt/jpeZxUQBfI6SW6LyP2Go8uYlbplV5IJuZ04c2Pr/9G/e3vh4O/kJmDZo4EX9op9TKJpg
+w/shReVuUAP9E24rD0oEyiWnHu/ZsgMtaVKQc2SsIghSG8eJAhwEEAEKAAYFAlTvL+sACgkQ
+V0EnLQMH4n8IuA//cZqhGvBiSNpRkSjjZWu5BY7fhMOdshiVPkEZmILRytnXnxVcu+PuuIk0
+kXfgt/jcS762dBZK3UOVAAsGsLfkisLN18UGWKhokNUWybSmdmhTb6Ns5tJbZfnFTaSjA3Gk
+Z+R/U8O1tNHTmqBfYHTSq8utpIi1JEJRf5itUYytP75nt0rnjpYTFEbvKgukgZldLDk581Zc
+x4Y6pj1ILrxtqF369yBtYIEkHFcYDuXsApTIXY1G4V5mq4t9QCk07E2ZKZ2aJjaCA7VeD+vR
+8Z50oyu4kuc1RdFnP8TfQUAr/tYIFinuzKSqELu9b+JSPO3qawXaq9Y+X42XWkeQSeu7SNl2
+xqe1uVhHd8qduf8U438fUOBeY+gpae9e2IPbErU+itmd+m+WlHp8FUH2pS6VlXXhBrBPEZ3+
+8ph9wUtSAenFVyT1leu21pMuP2nNpD2nTsNlYcX9gA/vkA7bQyOtaEOC+8zNHtZYhx4u/nmI
++yZ4Cc95CmfwTE0/fRX+T+jK2x5ZGRZMudygnKRbnod+OgnNVBWIykGSzULKgLY9i5PlxCA2
+a7FUoLpIOW4OJSgo6WNsBc3j48RjqNm3cUcLco1kDcoGaQ43dGyLVGMlB332u6m2W+g+AwGm
+vhJQh3yy5XYvRXRzfiHvWUok8ess1/0qSRua22JY14KBxJF80EeJAhwEEwECAAYFAk2wI04A
+CgkQ5fj4IS93pJjaOw/8DG4fn6z4LYmY3MsLNu2Efg9YflaWPkD+z0iLPGUHhrzObIIMfGL0
+kpqYJSbvYqYUSIR8AjQGwRrJVidBqOX9bK7ZVPPvsX61hjt6e0T0O2Q6JuDMCfseiseLBo/a
+6DJu2P7LfDNGaath0WMonOxnqs+kRG8SVyTqmbnyC0AwthgYB57CIyNuz3MPkQr7pJNmyWFv
+kUYs7Z2Awq0hyD9M1KAV8igqFGYjrZAJoSv1nX6OzGRCSFmxqKwmCd7OtHLpqdNHos5CLhrj
+ouLJwiNt8gv7w06owYFxEsctAGqjVjvvtD0L19Skp3jgLAro6x53UFUtxm+Z/8YLLh+lNHJx
+JMDQu5CpSn3zLwRkF/cYgINOa1CS1yceynlbRGxrIb2vSfmnZeNZ2cTwedM/+9C044DfIB1y
+9FmmZBaXOaA4ITjvcEf2FpFn9MdF+zN8N8AN5m1y/qftFqgG0P40AQ0hQAhk+F8JxD7wVh65
+jcj62f287L1h8EDo/NE1JH8dAb9dUlJQeohAkiIMurDYLYRop9u+ogtUtRpMKXTwgNUanIq7
+oTYpNunbI1NUXc9Fdi9Z8OYZagHlo4v6T3fqvaRbGElncoF6faz7les2zh2S8etACX7mNsxV
+c6kXIpdHqoHKGShdxtb+PhRirbIxdCzlFstk5c9zpsCJCr/yu+pCL6KJAiIEEAECAAwFAk2w
+CcoFgwll9NIACgkQVGoRHjtqqmQGaRAAuHuKIupTerS7qrEIkyOvECN06fg+U/caYv3Qpue0
+4ZC2aIk4oK/7wsuhEsMLCL3J1JFYCCmbc0QfYBtzIM5lu9SX7/1R8/+VnCvYvME8tKdMdQAM
+BWq4ZG5Bi9rH8j+450mjgmPRC0s8tmmfp62gB9zBAd/poVZQOVSUV43HE3n6Vkxj0ediGEmw
+GakB2pPtAY7HAaLxRdXidwjNTzpAz7JPinoZgpz/MYseuxSSyhIqqREYn/ynX1+YQhu1l4X6
+rpIsVWawMv93PhO42Y3Ny6SvC/hnZ1J+Y359quClHTQ/ogrbZrbhlKtpJNeNOCBKUzgIuT3/
+PSy1XheYQR2m8SbOmOMpgInr16i3ijsYBKI6qdoxB//YCkFCJmxfCUqRGPe6sAW2n9ow4VmE
+rAUDEqYTPDzkRA5zBY6C6cMugoClY8LidDwKHGXjbPMLz+CnWIVsC8BedjQcfPkuQs/P4QtQ
++UYwt6UiFywYe4Na9JfJsYDwkUaKgZadva/JFxGkm7ApMpeMBuZUDIl9qptKipdmRrMnBx9l
+fvBqrrXYKPEzVMW0FpX9D5F1L4k5u3x4B0VDZ9WPJgkSKFQIMatDxFsyJNWZmh/0dODC/LKF
+mZZCk3B34rr91He99MzKNrrq3vZSlbMKoCQYjDGQDWVXCplwjq1zCt/JSZUJYVhwbcyJAiIE
+EQECAAwFAlRgbtMFgwK1j8kACgkQBhyEc3tNEByR3A/+MKwW1tgIspbnE8WEGjdNJtXUHQUv
+UJHFTuoBNKZA/uAYxe7FLoSKQI8lH5PgJrLnu8lq0Z7h4BObnx7F4NrB1ixTtMGgRXD1amVY
+Gw6STlXH6Fhr/0RvBTg/wbdm/nFFdaEEhclMNHY/mW69bcqGjHjcnk6nOmlVrYegWRGjGgTI
+JBqHUhoX2+VixkMrBDSESBpHHQHlwsOlT9T0v3pCVHQz9I/WygQpn0bjgWEISyZkWbLcmJVZ
+yYYmWU9WWw8n16qFChdO6BTEjChuzVupLS5LoBgxCJkh9gl4F6VGRg2kVvsQoxE0CKbM+4qy
+qAAK2jrgQZRg4ihC2WmOpr9X0mrjO38Bz/tmZL389ZBzj9S3VO8otgBRgDbJvNHm8EjWdQHj
+SOE2x5/F2T69g8IK3S/vkkKrySsjSlD/NJpWwldkUh1RtO7wFO2Zk+2+vr55joOjKApXKQgO
+7PKw2awkL91UWWHAvJ3tTq/16FUypnY9RHM9rHtU8XDLCp4iEzE7rzIywEwX4fUAut4CRf8m
+u3czrhdPh+oQyOyQHZJMdX0mCKZREPgKo2ca5iAFtzOzrgD5OTCD/Pz4+99+gLEMOML1bWQ4
+R43L4YyrB1UIQUAvVmLDhn19bUcIS+wZ3kKI0et24wqjkaIsLSSounGBPxB4jOLhG0BBojzV
+dvqUElOJAiIEEwECAAwFAk2wAP4Fgwll/Z4ACgkQrImYjct//fHn8Q/+JdXKAXtSq5ReGTDR
+F3PcpsQK9q0LGvdyNPZ91oSkGl2UpcRhQ2KqTY0RJa7CZdk/3jG9G8aRuAmC6O5MhcsVU36j
+zBTanDgiSqFEpJCLXWWkPbwWIXdL3/FVm/1iYkDNqOZkWsYxU6BixgrDJoKcIZctt2igZqqa
+qdJYJ8tdbEXfW67rx+cu+DTXuZIuBwFETNix8zL7XpCQZAOG79IvBNaSaJr0x90tn+6rlLrk
+w6+NCXFjzm9aDNGyyWTs7s4kLfDR1LbBGpJNL+kmWmF9hkQTFHDxwNmHPyhjZcHVXaRfdl86
+ahClxBT6hitmurAGDIjjqy0d3Rs41Q3rcm9AZUWH4YbtRn2hXC/VCzsDvZvsjFB258mj4oDl
+jcgeuoY4uJEK8EJa9RJ6z3+UATcDaZTmlWhmb3UhG6suhz4hjmC4Y+JcovSVvq9AJksLJA74
+m6TxExiKzCGwy9xw1gcgJlFD4iVarfV4+jv5YGuPipPwz1ho6+P4uUOOtLFVHesSQ7S0W8eX
+rMdbu1Plw+m+fad/Asb8SoUm4ckfCwgoDMZsrGHBLhMa9D7AW/4z478DWqM6aZnZlpK4pNk+
+/jyW8cPDfjRePFKC/zH2Vm679JGgT13qQUJF1fja4KOSEi0lIKegPCRVJ1h0MseVgd2Qa9vX
+2VJwbZkrnoBa6VZH8dqJAj4EEwECACgCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJW
+76tkBQkNAhVIAAoJEJ9vHC1+BF+N2tYQAIxArTFi1m0C8sv/wIJwKL3Y6LWu1dEZadHLslfT
+bSF+2ZaWIyrg/QXcIkpUuGBn+V2nw46qZ8N+bAsxVJoJDzpRuqfs5+t/wq7xIZC4gzFjY4MH
+3uGi5jhucMdozYKqLomQE34bW2B3Co3+Rx5wXa2reqXaTt5f3X74D4XkCki7WyKXMk8vhnxb
+oxU50qu3MQzu3rWFGWxukQ+Pva9tUFnWGZOIgvhVbB3FBhqbEGg56d6yTIMMb6IwIjc/UYbc
+RCST70B5y3+If26u4TSbGfZoo3xx+6hH3dw8X+jMLFLki3ABWc17f1ZE7UZPbNhoWBibSV/1
+zNylGxHM1sbD3fyVneI9SJl77JsqAsqRWa+uQzn2WMdP31KsLXhVfGBDBKziBLet3Ntj20+m
+zrZnWr7EJV9PHUhjk/ie3n3HBBXQjD6lX1L+ZVw6c9eXVQpvS2051gkSuurdGkX8PaD80O0v
+Q5aohrwu+sGXJBiZY8q8rDvq+3hsnc1TfWNJzSjD+PsQ5WM6y3zqzrb3Oa2dsmNZWvos7LkQ
+NQ+6yaoe/W3hnhEyN/w6sl01sUmhFdm/wVtbg3Nd4a0x/yTq8p56Ol0wfj54u6hkbt1yFTUl
+xx+Cp/BanLSiOZvn12slxpCBULom/D2XROYY80iwThSshahxoWC/h04q8cDaFycwMzyuiQI+
+BBMBAgAoBQJNr/0cAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCfbxwt
+fgRfjd8qEACMp3672f/ETQL/ZS3EnNj1937xu6ESRCUsvbjMiGzLW/2tQVQnoV40fBoRyeQ/
+2d40VgUCsNayy7zqm7gRpKSjEddNGVReM//HuglrUwDhctvH9SUMNvJIpTeyur456NtUtSSd
+VyQHaBXYnMm9Ultq/imKHen40shdJW+9aHfrHZ0hPTv8XQqssrunF/gMHw3LiemPIjlrvAnl
+gM+NS0dUAVEJAm/9PJlXwhLvgo/jN9Y4zw2RMlAMNtfb6+EBXtKN7fjLL9AFGb3EZFuvvKj+
+ZTuiOcHv991gS2R+9JYRb2LaGzOxzjAo4XkWYLks70ahBE3044mtblYt2M9qjOAhXSSGRehK
++/cinAd42Krrpba55R3V2fyGbB1UZOiX4qhZM/btU/T5LzKEOOdmlKJhk4PcUHIZyqXtRPKL
+CoC7pWmPos0xKmfKR/x1lif2E9d/5/KcSvRGwv/EpFYclzXoTkgBg2Wq/rY1QaH4M0vK/hg8
+r/qQU0po4rSK1V2TboYoC6daO077OJIypXBZy4Xwxyfsm+ScomXdNW1b2qp30YQAql31paAt
+LrJUW3oKGMCVIF9ATq7Drhxh9knxo3f0JwNG3BFzNpKdQ6dYKrXBHeUIrZuuO2M/pXlpIa5j
+JrU8Krpl6AHL4M7YSRVD3AM7oV2TX6kCTDhkcQBlSND/e4kCVQQTAQIAPwIbIwYLCQgHAwIG
+FQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCWaU4BQUJEZjVaQAK
+CRCfbxwtfgRfjb1YEACjkhtkyZkYURUmSZNL2IK/Zencv7DZGRfFrzijROFtHbe//H8o2Zhl
+yiaFSA/dT1ehjsukkR0oFkYadA+qUi06WpxGmd/jf8hP4yTUZkwOhQAesWoNmnhKePNaVMKY
+8DP57bA+N2pdCcGu7gUtYzq2JoTAtV+P/PE2w+H9eyBAulv6iUckM5/qvGfJPl8HB9BtgOpG
+N79otVWO6ebM4TQ3cZYI9BDQnt9cF2pviex+z1iLZVJ8UeRxSxYhrBKPJioi0Q1OgcKyO56t
+7EotzxKl5TzprgvdX4cdls+lehD8StlE2Xv/TScHvdOhJuVBrn3a3QjZPb4qSsz74leW5/EI
+QmozBy+qf8AHcCmTXwb2U7oHOct7cVyS5+bFx+ThpV5OK0rjTH1LMNiuTeAN46c1y3prjZRp
+QUlgVwj06q3Zz/fzDyueUS/r4lW4nAf/VNZy/rTS2HYPoZbHZVCtGpDIfag6fV6V97Pd3zfh
+Tf2wmsJsw9Xhktp/o7rMBRSMhvL4oevOXb0JSG2583Q/JnCCceB4NxRRxsgkRYHwdnXN9FnO
+PSa4NyvF4rzpPksLGZrhvm+lBvzVn/e40Q/KlxvSlnn2vW/WBM4pBq1jsoJrd/JkTdijZV7m
+t7HQ2bCLXAPgfZjy7n79WiCQVHg7iYnNikiNWR5TR7JcvdkxOdiA/4kCVQQTAQgAPwIbIwYL
+CQgHAwIGFQgCCQoLBBYCAwECHgECF4AWIQTt+qPyyk5usFaBr46fbxwtfgRfjQUCXe4JdQUJ
+GaQN2QAKCRCfbxwtfgRfjQ8gEACe+49aDQHRuZdDHK1VCJKzhb+MvfdIjvl8eQxljpG9Uz5Y
+17Bx4SWfuLHCeGlh1m6IOAWeW4g6Wowm1ec1PkVa79TdrkKb0MxfLSat6iDbiuVjDxy2bWok
+W0/cPzJ/FoWDtEC0H9UTAMb5QGBDZUbLuwX7ZjvMkAhH15/hO9Gj4RHoH1RJGJALRtZzjtzs
+JqL53kW/EV59V1T79Nocyx018iw50Jn02mI8wYJZ9HZc5C7D+K59vcqLRZgkrJrObw0sEv3Y
+FOBYp/1DemH2nHPMBSKMmN5RAcr32guUjd4BEWf2Q7Ao+Qnhdi161W0YKCW4JAmOoQ4bQ0wf
+E9Q5aUIGhUF52L+ac8Hy7dByaCExCA/WTqQQ/iVPybmpJQhFonWt/fmpxbE2wKThSEOHTO67
+e5e3JfUb0vNKssyZojao4h1MF5nvaPNKoybWwKnpNM0ORcyl+aogKwW7E15TEU0TE5//gAsF
+wRDcCnSEKnksgM0321m17RDfJbCajIv47DHDYE3yvhRZjCJCaw0Gow1sDRWjdOFpmIixD5/v
+x5uxyqSHPuGAsXlEvl+Z3Rdc5bQ7pAWu7UNpR3hnJPfg8KL2xqOF75VKG9/NjLE80yj8wdVo
+CfDvvizrBtOXnHI49gCMCfNqbGIb5yVhmTdeo7li+Te9hlJ2DrHnujGJlFe+p7kCDQRNr/0c
+ARAApvDKeVLiSazESdTY9KsSWsqoB38pvOsu25M49tEjc5TtY5LwKNckqkeRlJ83O8dFG7UB
+VuGwLKaf/6OR/pe24upZ27eOOWW7sXvQNv5aXlOYfF+mjIhUINqjq4pKDmO1c9J7h5d+auOV
+fzcgfotg3BVCaKn56ucjiQJ059uUMfgWTvVlibnoJ7deZcgt8v7VcLK9jv+P8QJHTIyDzJd+
+JjdjuHXqC/A37T5G9Z84x8wYrQY6mZmOIYaMjwIKdgFeN+nLk5henARUz4MTFUW4j9hHpuyA
+FomDQ93/wkHZ9IEChTxdZnfvsd//Z45vfcX9dQM+tuR8XCYThVsScI1TnwR46hi5NkfmHo3H
+VxwB8/owJ+FZDsTNBbJd7AVy27Xk4L5hLe7BwLDtFMyOp4lOipCM7//mtFB9mTzqnOwiSSyT
+RlwGUBJkzQFWQa0Z6bfYwA6+y1dn19H519GW49irtl+2+W8W4N8oLriIjPvqrQOyaELFcRfV
+6FfLi09HPhHVbejOqIEbOtfuN0+mjrrGAwortfTBjfw80N+W90BTvta4K2SyjHcJTkDYehfO
+o/5IMpGtDsOgvsCbDaFRnNJuYtSqQmvWk1KIPIw6CkdJtZa3+q3YA7D7ovOVH1OBTKNdBjc+
+X4W8L5R9MCymXWvgiP+52Sv1VIcZmsnCBrwK490AEQEAAYkCJQQYAQIADwIbDAUCVu+raQUJ
+DQIVTQAKCRCfbxwtfgRfjVnYEACZ1E/FfLDi4vLUd9diImmNN/zWDHxTsO/VG3lt50rSoJM5
+NGB4RlwcbUKhah2fD44FFiIqGIvKD9hRgB51dVRIkaR3ozVtXRBKxJJqWj38wf2FDLtUXC5/
+JHYb0sjAc3ad2sA9xEmEBVO1lWK3J6h4gKZiAGlWz3oeOSve3vrTKsBlP0CurUeb4WTVpw4d
+rBJD7cDh8SJ4/Cq76UFx8lW0xR+pHZHcd0/Ir5v5HnnEgbnut4IxeY3/CGBfQfSQHylK7ifm
+PWq+dflC/ZdfHY1V96EHKPM44ZLwiczoY3qp5nkmEc3BY6+P8Ch5gddOYaY18wpedarswnpO
+LQD2Xbsj66Eh0IZuuuZGyfOqJNaWbP33L27eg35XQNTgyhuZmDyRKL6yAbhU74TXCCvze/kk
+fqDn2ouCtM8/kqLX1v0+NkBxlhZUkTTVDyclZtwu6Vypus3+j2Zqk8sXeUZI64sjXpzwOcMZ
+xdl3QuyxMktExWzk9Q5DYqO+pj/YGt1vp2M0YgSUWNWCvfBcjEPFgaljyqz3BdvR/LYohnXu
+QL9SWObF+sIFc9D0w/yORYQcKP5kSWVC/qwFdC61OGeSDnQ/0o0T5PefhYS82gsIrjQ+HIJ7
+CLUTk7kBNljvtfpoWegH02feR0kSRoCXA6x+YHT4fmB41pW8S1V5a5dEltA/JIkCJQQYAQIA
+DwUCTa/9HAIbDAUJCWYBgAAKCRCfbxwtfgRfjTY/D/9+kX8LeqBhwDdwy3udV67KmVmytwGM
+fzBHbAyBdy84X06ip/If/VkjL+2Sv5Uml/cOOzGZT7y/KEt0uXQzgOZhGP5Y0OREf4kSzfb7
+tsGu3ZjTp5uJe7HiJr8uqYGfx94TQG/A3x1C7MlxOGmWDK/Eh/eNVeNd+3yyDEzl2p7a0yUh
+I8LtzllVrEDX+G4rz+mdDw4tfPDqzRPzPvVtPfqnfofHP5r2dshGe7+pCTC+o0jHWpaiFkEi
+IrR3PbZ9tV6+F5LzCUJJP5nepz6CShpLHq9ST6qZiw5ZpdznHW0kVl96YxgynJq9Y4dqD/8n
+OfTzdHhXXEogGvRfcxatxeZF7YNFhUU2p+CswAjRKCUzZAz0hDAu+dJ+fw4Odx7ii8uiwhEn
+EHoo8rPETkXwUK1je4MCzMRSy0Gippzk/oZ7noIml+Njas/UygavUOQm8bcPqGfWeFqvM2C7
+ZobL2iV0fX/bhEmQyosiWJ0nHuKdwDYygYs/4LtZLxwiKli/lm6IDz1028j6/98Z81gGoltX
+WokTYAPEgcBuhyiSLSQ1wojTVMYt9rPKMBakTzP+0FoWqoNafWOlHovP6iUB2Igll2ZT3Avr
+BQ8jAbRbuUl46QpBaKsl+pBo86az0fRkMxv0N4dQv4Q7Z0g71u9NTpaq1vtAZOwc0kl3uGNK
+18PnV4kCPAQYAQIAJgIbDBYhBO36o/LKTm6wVoGvjp9vHC1+BF+NBQJZpTgKBQkRmNVuAAoJ
+EJ9vHC1+BF+NyNQP/A3h+cOOkYUxyKpNHdtlIfCn8db5tHXSCbE19Qi7EK1SiK5atjo+VoRt
+B+L01kH6GCx5oZjeIhUdzYFwEUsdCDgwD6r0dKFwKIGa4TFcfnx+Z5B+HZgLYc6ac5PEHF1q
+ZVXZH9GSGeNw5h2yyqf4yhvetSN6L2id14m5XXJV5e7NfOgmaSnG0Z+wQvPSiu+Q00XpENT8
+HFSTSCjRATjk12rpy6TPeeC52NK1gLhGDRHN0k6m+vm4yoC+Nd6iPQpnc+5xs7NDnq2dFuST
+p7UTGebzPhhdSQgujEFuYLwzQMZu1h5amtA+v9j7BYEJkOMC7bm1PNNA2QQ6QfH8Hf+mJeIN
+yJO8A5KS3ceP+eo3SLR8T0hPzu9gZuZ22Hn3DXQh1VNRshaLKgNvoXpL3dQ48d1SFFKhEDpy
+2HSXUq2fs5rH0uszFGesG7K6EQRAYRcDrCkt9fdfkvCSxAFw9d+472xThzgKcN+MkOec+SaY
++xlVULjEfCWyRVC8Opam4mTm/XT4mVLxP/qnsy7kEhLoc/ouB+lY/ks06LpZJvCXL6WfA9Yo
+u1Fi1Mg7GhSh9JKg6X6E8Trm+N4dxJGut1xbbGmmKXqfi4pej9KlkdeM9t1df/vWKlPa7Hzd
+8H0btgJx066wC4yt0ghxtsJXBsCDxWLfzaSRZ2/eP16mHqxDjsQQiQI8BBgBCAAmAhsMFiEE
+7fqj8spObrBWga+On28cLX4EX40FAl3uCX0FCRmkDeEACgkQn28cLX4EX43TQA/+JV8ReMRJ
+Cn3Cfqbe5ycFn8p6dIVnJiQuhiEyu5yzdpSkKyzcVFJObQcqw7s50FJuLUbxdvbcuGIaoTu7
+dhBoUXO5tOuIQAsKTfGfgoOgelJm+/q2h645EnAVINGbMDXrmo4/UFJkNjUMA6SQi/yiam7N
+0y58eoDC4sGmBKuN2EW2MoWahlXw8SS1+Ab9qVBs/RqbSy6f1nJL39aPpPDmvyJOSYtHnNSF
+lYWVhr0zGAi5rnswlFGrECGbHpr5FajUK7zcmtNPbi7F30K48xfF3XnDIeIBcerrEBQMaPUZ
+cBlddGhmSVVJZU/YhR35JNgPnmp33gOuZaRiW9lauZFwsMQBIBkLpJWoUtu8QLkyC0HmJzVR
+ep0/s1RkzaJ+1G1BzXTQiXaLaUQWG5h3pcMD8fxY5qp9KbG/+10bY0sRbRBXgS6mz7ddHaBt
+g/E8ty2nEB1HDXA9HAHu7KlH9e96sPZjz9C46ZiOXe6ZAOk6wBYts4RG4bCQ9pGORJ+P2Jr2
+pz1NZQbs1AhnjJixTsfZfsGZ5lHxGLjIyxtdGB/irLEqNTIMek2yp4CShmWoZwN0V3aGYMe/
+rC4tSXG79IeKNwF3Vd5MHtB+hcJG2qztBtKQuW29rbRA5bNxwTWe8skwOKsxXnP9RC974k0X
+kPS+VwgmVgNN1ewS/0oHvmEP71Q=
+=ZSkT
+-----END PGP PUBLIC KEY BLOCK-----
+
+ diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec new file mode 100644 index 0000000..172744a --- /dev/null +++ b/SPECS/unbound.spec @@ -0,0 +1,1312 @@ +%{?!with_python2: %global with_python2 0} +%{?!with_python3: %global with_python3 1} +%{?!with_munin: %global with_munin 1} +%bcond_without dnstap +%bcond_with systemd +%bcond_without doh + +%global _hardened_build 1 + +#%%global extra_version rc1 + +%if 0%{with_python2} +%global python_primary %{__python2} +%endif + +%if 0%{with_python3} +%global python_primary %{__python3} +%endif + +%if 0%{?rhel} +%global with_munin 0 + +%if 0%{?with_python2} && 0%{?rhel} <= 6 +# needed just for EPEL +%{!?__python2: %global __python2 /usr/bin/python2} +%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +%endif + +%if 0%{?rhel} <= 7 +%global with_python3 0 +%else +%global with_python2 0 +%endif +%endif + +Summary: Validating, recursive, and caching DNS(SEC) resolver +Name: unbound +Version: 1.13.1 +Release: 13%{?extra_version:.%{extra_version}}%{?dist} +License: BSD +Url: https://nlnetlabs.nl/projects/unbound/ +Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz +Source1: unbound.service +Source2: unbound.conf +Source3: unbound.munin +Source4: unbound_munin_ +Source5: root.key +Source7: unbound-keygen.service +Source8: tmpfiles-unbound.conf +Source9: example.com.key +Source10: example.com.conf +Source11: block-example.com.conf +Source12: https://data.iana.org/root-anchors/icannbundle.pem +Source13: root.anchor +Source14: unbound.sysconfig +Source15: unbound-anchor.timer +Source16: unbound-munin.README +Source17: unbound-anchor.service +Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc +Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key + +# rhbz#1952814 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files +Patch1: unbound-1.13.1-rh1952814.patch +Patch2: unbound-1.13.1-rh1991005.patch +Patch3: unbound-1.13.1-rh1977400.patch +Patch4: unbound-1.13.1-rh1977401.patch + +BuildRequires: gcc, make +BuildRequires: flex, openssl-devel +BuildRequires: libevent-devel expat-devel +BuildRequires: pkgconfig +%if 0%{?fedora} +BuildRequires: gnupg2 +%endif +%if 0%{with_python2} +BuildRequires: python2-devel swig +%endif +%if 0%{with_python3} +BuildRequires: python3-devel swig +%endif +%if %{with dnstap} +BuildRequires: fstrm-devel protobuf-c-devel +%endif +%if %{with systemd} +BuildRequires: systemd-devel +%endif +%if %{with doh} +BuildRequires: libnghttp2-devel +%endif +%if 0%{?fedora} >= 30 +BuildRequires: systemd-rpm-macros +%else +BuildRequires: systemd +%endif +# Required for SVN versions +# BuildRequires: bison +# BuildRequires: automake autoconf libtool + +# Needed because /usr/sbin/unbound links unbound libs staticly +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description +Unbound is a validating, recursive, and caching DNS(SEC) resolver. + +The C implementation of Unbound is developed and maintained by NLnet +Labs. It is based on ideas and algorithms taken from a java prototype +developed by Verisign labs, Nominet, Kirei and ep.net. + +Unbound is designed as a set of modular components, so that also +DNSSEC (secure DNS) validation and stub-resolvers (that do not run +as a server, but are linked into an application) are easily possible. + +%if %{with_munin} +%package munin +Summary: Plugin for the munin / munin-node monitoring package +Requires: munin-node +Requires: %{name} = %{version}-%{release}, bc +BuildArch: noarch + +%description munin +Plugin for the munin / munin-node monitoring package +%endif + +%package devel +Summary: Development package that includes the unbound header files +Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel +Requires: pkgconfig + +%description devel +The devel package contains the unbound library and the include files + +%package libs +Summary: Libraries used by the unbound server and client applications +Requires(pre): shadow-utils +%if ! 0%{with_python2} +# Make explicit conflict with no longer provided python package +Obsoletes: python2-unbound < 1.9.3 +%endif + +%description libs +Contains libraries used by the unbound server and client applications + +%if 0%{with_python2} +%package -n python2-unbound +%{?python_provide:%python_provide python2-unbound} +Summary: Python 2 modules and extensions for unbound +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Provides: unbound-python = %{version}-%{release} +Obsoletes: unbound-python < %{version}-%{release} + +%description -n python2-unbound +Python 2 modules and extensions for unbound +%endif + +%if 0%{with_python3} +%package -n python3-unbound +Summary: Python 3 modules and extensions for unbound +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +%if ! 0%{with_python2} +# Make explicit conflict with no longer provided python package +Conflicts: python2-unbound < 1.9.3 +%endif + +%description -n python3-unbound +Python 3 modules and extensions for unbound +%endif + + +%prep +%if 0%{?fedora} +%gpgverify -k 19 -s 18 -d 0 +%endif +%global pkgname %{name}-%{version}%{?extra_version} + +%if 0%{with_python2} && 0%{with_python3} +%global dir_primary %{pkgname}_python3 +%global python_primary %{__python3} +%global dir_secondary %{pkgname}_python2 +%global python_secondary %{__python2} +%else +%global dir_primary %{pkgname} +%endif + +%autosetup -c -N -n %{pkgname} + +pushd %{pkgname} +# patches go here +%autopatch -p1 + +# only for snapshots +# autoreconf -iv + +# copy common doc files - after here, since it may be patched +cp -pr doc pythonmod libunbound ../ +popd + +%if 0%{with_python2} && 0%{with_python3} +mv %{pkgname} %{dir_primary} +cp -a %{dir_primary} %{dir_secondary} +%endif + +%build +# This is needed to rebuild the configure script to support Python 3.x +# autoreconf -iv + +# ./configure script common arguments +%global configure_args --with-libevent --with-pthreads --with-ssl \\\ + --disable-rpath --disable-static \\\ + --enable-relro-now --enable-pie \\\ + --enable-subnet --enable-ipsecmod \\\ + --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ + --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ + --enable-sha2 --disable-gost --enable-ecdsa \\\ + --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ + --enable-linux-ip-local-port-range --disable-sha1 + +pushd %{dir_primary} + +%configure \ +%if 0%{?python_primary:1} + --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \ +%endif +%if %{with dnstap} + --enable-dnstap \ +%endif +%if %{with systemd} + --enable-systemd \ +%endif +%if %{with doh} + --with-libnghttp2 \ +%endif + %{configure_args} + +%make_build +%make_build streamtcp + +popd + +%if 0%{?python_secondary:1} +pushd %{dir_secondary} +%configure \ + --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \ +%if %{with dnstap} + --enable-dnstap \ +%endif +%if %{with systemd} + --enable-systemd \ +%endif + %{configure_args} + +%make_build +popd +%endif + + +%install +install -p -m 0644 %{SOURCE16} . + +%if 0%{?python_secondary:1} +# install first secondary build. It will be overwritten by primary +pushd %{dir_secondary} +%make_install unbound-event-install +popd +%endif + +pushd %{dir_primary} +%make_install unbound-event-install +install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp +popd + +install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig +install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service +install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service +install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer +install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service +install -p -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound +install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound +%if %{with_munin} +# Install munin plugin and its softlinks +install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d +install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound +install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/ +install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound +for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do + ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin +done +%endif + +pushd %{dir_primary} +# install streamtcp man page +install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1 +install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc +popd + +# Install tmpfiles.d config +install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound +install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf + +# install root - we keep a copy of the root key in old location, +# in case user has changed the configuration and we wouldn't update it there +install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/ +install -m 0644 %{SOURCE13} %{buildroot}%{_sharedstatedir}/unbound/root.key + +# remove static library from install (fedora packaging guidelines) +rm %{buildroot}%{_libdir}/*.la + + +%if 0%{with_python2} +rm %{buildroot}%{python2_sitearch}/*.la +%endif + +%if 0%{with_python3} +rm %{buildroot}%{python3_sitearch}/*.la +%endif + +# create softlink for all functions of libunbound man pages +for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; +do + echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; +done + +mkdir -p %{buildroot}%{_localstatedir}/run/unbound + +# Install directories for easier config file drop in + +mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/ +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/ +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ + +# Link unbound-control-setup.8 manpage to unbound-control.8 +echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 + + +%pre libs +getent group unbound >/dev/null || groupadd -r unbound +getent passwd unbound >/dev/null || \ +useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ +-c "Unbound DNS resolver" unbound + +%post +%systemd_post unbound.service +%systemd_post unbound-keygen.service + +%post libs +%{?ldconfig} +%systemd_post unbound-anchor.timer +# start the timer only if installing the package to prevent starting it, if it was stopped on purpose +if [ "$1" -eq 1 ]; then + # the Unit is in presets, but would be started after reboot + /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || : +fi + +%preun +%systemd_preun unbound.service +%systemd_preun unbound-keygen.service + +%preun libs +%systemd_preun unbound-anchor.timer + +%postun +%systemd_postun_with_restart unbound.service +%systemd_postun unbound-keygen.service + +%postun libs +%{?ldconfig} +%systemd_postun_with_restart unbound-anchor.timer + +%check +pushd %{dir_primary} +#pushd pythonmod +#make test +#popd + +make check + +popd + +%if 0%{?python_secondary:1} +pushd %{dir_secondary} +#pushd pythonmod +#make test +#popd +make check +popd +%endif + + +%files +%doc doc/CREDITS doc/FEATURES +%{_unitdir}/%{name}.service +%{_unitdir}/%{name}-keygen.service +%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} +%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} +%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d +%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key +%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d +%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf +%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d +%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem +%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key +%{_sbindir}/unbound +%{_sbindir}/unbound-checkconf +%{_sbindir}/unbound-control +%{_sbindir}/unbound-control-setup +%{_sbindir}/unbound-host +%{_sbindir}/unbound-streamtcp +%{_mandir}/man1/* +%{_mandir}/man5/* +%exclude %{_mandir}/man8/unbound-anchor* +%{_mandir}/man8/* + +%if 0%{with_python2} +%files -n python2-unbound +%license pythonmod/LICENSE +%{python2_sitearch}/* +%doc libunbound/python/examples/* +%doc pythonmod/examples/* +%endif + +%if 0%{with_python3} +%files -n python3-unbound +%license pythonmod/LICENSE +%{python3_sitearch}/* +%doc libunbound/python/examples/* +%doc pythonmod/examples/* +%endif + +%if 0%{with_munin} +%files munin +%doc unbound-munin.README +%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound +%{_datadir}/munin/plugins/unbound* +%endif + +%files devel +%{_libdir}/libunbound.so +%{_includedir}/unbound.h +%{_includedir}/unbound-event.h +%{_mandir}/man3/* +%{_libdir}/pkgconfig/*.pc + +%files libs +%doc doc/README +%license doc/LICENSE +%attr(0755,root,root) %dir %{_sysconfdir}/%{name} +%{_sbindir}/unbound-anchor +%{_libdir}/libunbound.so.* +%{_mandir}/man8/unbound-anchor* +%{_sysconfdir}/%{name}/icannbundle.pem +%{_unitdir}/unbound-anchor.timer +%{_unitdir}/unbound-anchor.service +%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +%attr(0644,unbound,unbound) %config %{_sharedstatedir}/%{name}/root.key +# just left for backwards compat with user changed unbound.conf files - format is different! +%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key + +%changelog +* Thu Mar 31 2022 Petr Menšík - 1.13.1-13 +- Disable SHA-1 support (#2070495) + +* Fri Feb 11 2022 Artem Egorenkov - 1.13.1-12 +- Fixed error in the patch +- Resolves: rhbz#1977401 + +* Thu Feb 10 2022 Artem Egorenkov - 1.13.1-11 +- regional_alloc() failure handled +- Resolves: rhbz#1977401 + +* Thu Feb 10 2022 Artem Egorenkov - 1.13.1-10 +- RESOURCE_LEAK fixed +- Resolves: rhbz#1977400 + +* Tue Aug 10 2021 Artem Egorenkov - 1.13.1-9 +- Don't use delted OpenSSL macroses +- Resolves: rhbz#1991005 + +* Tue Aug 10 2021 Mohan Boddu - 1.13.1-8 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jun 16 2021 Mohan Boddu - 1.13.1-7 +- Rebuilt for RHEL 9 BETA for openssl 3.0 + Related: rhbz#1971065 + +* Tue Jun 08 2021 Artem Egorenkov - 1.13.1-6 +- Changelog date fixed +- Rebuild for new gating.yaml +- Resolves: rhbz#1951923 + +* Mon Apr 26 2021 Artem Egorenkov - 1.13.1-5 +- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux +- Resolves: rhbz#1952814 + +* Tue Apr 20 2021 Artem Egorenkov - 1.13.1-4 +- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR + environment variable equals to "yes" +- Resolves: rhbz#1951923 + +* Fri Apr 16 2021 Mohan Boddu - 1.13.1-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Feb 10 2021 Paul Wouters - 1.13.1-1 +- Resolves rhbz#1860887 unbound-1.13.1 is available +- Fixup unbound.conf + +* Wed Jan 27 2021 Fedora Release Engineering - 1.13.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Petr Menšík - 1.13.0-1 +- Update to 1.13.0 + +* Tue Oct 13 2020 Petr Menšík - 1.12.0-1 +- Update to 1.12.0 (#1860887) + +* Tue Sep 15 2020 Petr Menšík - 1.10.1-5 +- Move command line tools to utils subpackage + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-3 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Fri May 22 2020 Miro Hrončok - 1.10.1-2 +- Rebuilt for Python 3.9 + +* Tue May 19 2020 Paul Wouters - 1.10.1-1 +- Resolves: rhbz#1837279 unbound-1.10.1 is available +- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS +- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers +- Updated unbound.conf for new options in 1.10.1 + +* Wed Apr 29 2020 Paul Wouters - 1.10.0-3 +- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000. + +* Thu Apr 16 2020 Artem Egorenkov - 1.10.0-2 +- Resolves: rhbz#1824536 unbound crash + +* Thu Mar 19 2020 Petr Menšík - 1.10.0-1 +- Update to 1.10.0 (#1805199) + +* Fri Jan 31 2020 Fedora Release Engineering - 1.9.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Fri Dec 13 2019 Paul Wouters - 1.9.6-1 +- Resolves: rhbz#1758107 unbound-1.9.5 is available +- Resolves: CVE-2019-18934 + +* Fri Nov 01 2019 Paul Wouters - 1.9.4-1 +- Fix build on rhel/centos systems +- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query + +* Thu Sep 26 2019 Petr Menšík - 1.9.3-2 +- Obsolete no longer provided python2 subpackage (#1749400) + +* Tue Aug 27 2019 Paul Wouters - 1.9.3-1 +- Updated to 1.9.3 +- Resolves: rhbz#1672578 unbound-1.9.2 is available +- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/ +- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT + +* Thu Aug 22 2019 Miro Hrončok - 1.8.3-8 +- Subpackage python2-unbound has been removed + See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal + +* Thu Aug 15 2019 Miro Hrončok - 1.8.3-7 +- Rebuilt for Python 3.8 + +* Mon Aug 5 2019 Zbigniew Jędrzejewski-Szmek - 1.8.3-6 +- Drop install-time requirements on systemd (#1723777) + +* Sat Jul 27 2019 Fedora Release Engineering - 1.8.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.8.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 11 2019 Paul Wouters - 1.8.3-3 +- Remove KSK-2010 from configs - it has been revoked + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-2 +- Another dns64 fixup + +* Wed Dec 12 2018 Paul Wouters - 1.8.3-1 +- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes + +* Mon Dec 10 2018 Paul Wouters - 1.8.2-2 +- Fix dns64 allocation in wrong region for returned internal queries. + +* Tue Dec 04 2018 Paul Wouters - 1.8.2-1 +- Updated to 1.8.2. +- Enabled deny ANY query support and edns-tcp-keepalive +- Set serve-stale timeout to 4h +- Updated unbound.conf for latest options + +* Mon Oct 22 2018 Petr Menšík - 1.8.1-2 +- Allow group by default to unbound-control (#1640259) + +* Mon Oct 08 2018 Petr Menšík - 1.8.1-1 +- Update to 1.8.1 + +* Mon Oct 01 2018 Petr Menšík - 1.8.0-2 +- Skip ipv6 forwarders without ipv6 support (#1633874) + +* Wed Sep 19 2018 Petr Menšík - 1.8.0-1 +- Rebase to 1.8.0 + +* Tue Aug 14 2018 Paul Wouters - 1.7.3-9 +- Fix for restarting unbound service after deleting key/pem files for remote control + +* Tue Jul 31 2018 Petr Menšík - 1.7.3-8 +- Release memory in unbound-host + +* Mon Jul 23 2018 Petr Menšík - 1.7.3-7 +- Remove unused Group tag + +* Wed Jul 18 2018 Petr Menšík - 1.7.3-6 +- Cleanup generated client and server keys (#1601773) + +* Sat Jul 14 2018 Fedora Release Engineering - 1.7.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 09 2018 Petr Menšík - 1.7.3-4 +- Do not call ldconfig if possible + +* Wed Jul 04 2018 Petr Menšík - 1.7.3-3 +- Update trust anchors also behind firewall (#1598078) + +* Mon Jul 02 2018 Miro Hrončok - 1.7.3-2 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Petr Menšík - 1.7.3-1 +- Update to 1.7.3 (#1593708) + +* Wed Jun 27 2018 Petr Menšík - 1.7.2-3 +- Remove last python2 dependency from python3 build + +* Tue Jun 19 2018 Miro Hrončok - 1.7.2-2 +- Rebuilt for Python 3.7 + +* Mon Jun 11 2018 Paul Wouters - 1.7.2-1 +- Resolves rhbz#1589807 unbound-1.7.2 is available +- Add patch to fix stub/forward zone not returning ServFail when TTL expires +- Enabled the new root-key-sentinel option + +* Wed May 30 2018 Petr Menšík - 1.7.1-1 +- Update to 1.7.1 (#1574495) + +* Mon Apr 09 2018 Petr Menšík - 1.7.0-5 +- Require gcc and make on build +- Remove group, simplify systemd requires +- Simplify building with single python version, make python3 primary + +* Mon Apr 09 2018 Paul Wouters - 1.7.0-4 +- Patch for prefetching after flushing cache + +* Fri Apr 06 2018 Paul Wouters - 1.7.0-3 +- Patch for referral with auth-zone: response + + +* Wed Mar 21 2018 Paul Wouters - 1.7.0-2 +- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry + +* Thu Mar 15 2018 Paul Wouters - 1.7.0-1 +- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) + +* Thu Feb 22 2018 Petr Menšík - 1.6.8-6 +- Uncomment again original max-upd-size + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-5 +- Use default RPM build flags and configure parameters (#1539097) + +* Wed Feb 21 2018 Petr Menšík - 1.6.8-4 +- Remove group writable bit from some config files (#1528445) + +* Wed Feb 14 2018 Filipe Rosset - 1.6.8-3 +- rebuilt due new libevent 2.1.8 + +* Fri Feb 09 2018 Igor Gnatenko - 1.6.8-2 +- Escape macros in %%changelog + +* Mon Jan 22 2018 Paul Wouters - 1.6.8-1 +- Resolves rhbz#1483572 unbound-1.6.8 is available +- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records +- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all] + +* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek - 1.6.7-2 +- Python 2 binary package renamed to python2-unbound + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Thu Oct 12 2017 Paul Wouters - 1.6.7-1 +- Updated to 1.6.7 (minor bugfixes) + +* Tue Oct 03 2017 Petr Menšík - 1.6.6-3 +- Update icannbundle.pem + +* Mon Oct 02 2017 Paul Wouters - 1.6.6-2 +- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics + +* Fri Sep 22 2017 Paul Wouters - 1.6.6-1 +- Resolves: rhbz#1483572 unbound-1.6.6 is available +- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit) + +* Wed Aug 16 2017 Paul Wouters - 1.6.4-4 +- Rebuilt with KSK2017 added to root.key and root.anchor +- Remove noreplace for root key files. We can only improve these files over local copies + +* Thu Aug 03 2017 Fedora Release Engineering - 1.6.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.6.4-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jul 02 2017 Paul Wouters - 1.6.4-1 +- Updated to 1.6.4 full release, patch to allow missing ipsechook +- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook + +* Thu Jun 22 2017 Paul Wouters - 1.6.4-0.rc2 +- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes) + +* Tue Jun 13 2017 Paul Wouters - 1.6.3-1 +- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled) + +* Thu Jun 08 2017 Paul Wouters - 1.6.2-2 +- Patch for cmd: unbound-control set_option val-permissive-mode: yes + +* Wed Apr 26 2017 Paul Wouters - 1.6.2-1 +- Update to 1.6.2 (rhbz#1425649) +- Updated unbound.conf with new options + +* Wed Mar 22 2017 Paul Wouters - 1.6.0-6 +- Call make unbound-event-install to install unbound-event.h + +* Sat Feb 11 2017 Fedora Release Engineering - 1.6.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Jan 18 2017 Paul Wouters - 1.6.0-4 +- Remove obsoleted DLV key + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-3 +- Actually remove dependency because minimum is always satisfied + +* Mon Jan 02 2017 Paul Wouters - 1.6.0-2 +- Depend on openssl-libs, not opensl + +* Wed Dec 21 2016 Kevin Fenzi - 1.6.0-1 +- Update to 1.6.0 + +* Mon Dec 19 2016 Miro Hrončok - 1.5.10-3 +- Rebuild for Python 3.6 + +* Wed Oct 26 2016 Ilya Evseev - 1.5.10-2 +- Bugfix building without python2 and python3 +- Fixup streamtcp build (Paul) + +* Tue Sep 27 2016 Paul Wouters - 1.5.10-1 +- Updated to 1.5.10 (better TCP handling, bugfixes) +- Install pkgconfig file in -devel package +- Updated unbound.conf + +* Tue Jul 19 2016 Fedora Release Engineering - 1.5.9-4 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Jul 07 2016 Paul Wouters - 1.5.9-3 +- Fix upper port range to 60999 because that's what selinux allows + +* Thu Jun 16 2016 Paul Wouters - 1.5.9-2 +- Patch for allowing more queries before failure (needed for query minimalization) + +* Mon Jun 13 2016 Paul Wouters - 1.5.9-1 +- Updated to 1.5.9 + +* Thu Apr 21 2016 Toshio Kuratomi - 1.5.8-2 +- Fix streamtcp to link against libpython3.x instead of libpython2.x + +* Wed Mar 02 2016 Paul Wouters - 1.5.8-1 +- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch +- Updated unbound.conf with new upstream options +- Enabled ip-transparent: yes (see rhbz#1291449) + +* Fri Feb 05 2016 Fedora Release Engineering - 1.5.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jan 21 2016 Tomas Hozza - 1.5.7-2 +- Fix escaping of shell chars in unbound-control-setup (#1294339) + +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + +* Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 +- Update to 1.5.6 (#1176729) + +* Wed Nov 04 2015 Robert Kuska - 1.5.5-2 +- Rebuilt for Python3.5 rebuild + +* Wed Oct 07 2015 Tomas Hozza - 1.5.5-1 +- New upstream release 1.5.5 (#1269137) +- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2) + +* Tue Sep 15 2015 Tomas Hozza - 1.5.4-5 +- Removed dependency and ordering on unbound-anchor.service in unbound.service + +* Thu Sep 03 2015 Tomas Hozza - 1.5.4-4 +- Prefer Python3 build over Python2 build for now (#1254566) + +* Mon Jul 20 2015 Tomas Hozza - 1.5.4-3 +- Added ExecReload section to unbound.service (#1195785) +- Removed After syslog.target since it is not needed any more + +* Thu Jul 16 2015 Tomas Hozza - 1.5.4-2 +- Start unbound-anchor.timer only on new installations +- Rename root.anchor to root.key in %%post section + +* Tue Jul 14 2015 Paul Wouters - 1.5.4-1 +- Update to 1.5.4 +- Removed patches merged into upstream + +* Tue Jun 16 2015 Tomas Hozza - 1.5.3-8 +- Revert: Use low maximum negative cache TTL (5 sec) (#1229596) + +* Mon Jun 15 2015 Tomas Hozza - 1.5.3-7 +- Add option for maximum negative cache TTL (#1229599) +- Use low maximum negative cache TTL (5 sec) (#1229596) + +* Tue May 26 2015 Tomas Hozza - 1.5.3-6 +- Removed usage of DLV from the default configuration (#1223363) + +* Wed May 13 2015 Tomas Hozza - 1.5.3-5 +- unbound.service now Wants unbound-anchor.timer +- unbound-anchor man page moved to the unbound-libs + +* Mon May 11 2015 Paul Wouters - 1.5.3-4 +- Fixup scriptlets causing systemctl: command not found +- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs + +* Mon Apr 27 2015 Tomas Hozza - 1.5.3-3 +- migrate cronjob to systemd timer unit (#1177285) +- change the period for unbound-anchor from monthly to daily (#1180267) +- Thanks to Tomasz Torcz for the initial patch + +* Thu Apr 16 2015 Tomas Hozza - 1.5.3-2 +- Fix FTBFS (#1206129) +- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080) + +* Mon Mar 16 2015 Paul Wouters - 1.5.3-1 +- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling +- Updated to 1.5.2 which fixes DNSSEC validation with different + trust anchors upstream, local-zone has a new keyword 'inform' + +* Mon Feb 02 2015 Paul Wouters - 1.5.1-4 +- Build with --enable-ecdsa + +* Sun Feb 01 2015 Paul Wouters - 1.5.1-3 +- Fix post to create root.anchor, not root.key, to match cron job + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-2 +- Change systemd-units to systemd +- Use _tmpfilesdir macro, don't mark tmpfiles as config + +* Tue Dec 09 2014 Paul Wouters - 1.5.1-1 +- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066) +- Removed unbound-aarch64.patch which was merged upstream +- Don't require autotools for non snapshots or run autoreconf + +* Fri Nov 28 2014 Tomas Hozza - 1.5.1-0.1.rc1 +- update to 1.5.1rc1 + +* Fri Nov 28 2014 Marcin Juszkiewicz - 1.5.0-3 +- fix build on aarch64 + +* Wed Nov 26 2014 Tomas Hozza - 1.5.0-2 +- Fix race condition in arc4random (#1166878) + +* Wed Nov 19 2014 Tomas Hozza - 1.5.0-1 +- update to 1.5.0 + +* Wed Sep 24 2014 Pavel Šimerda - 1.4.22-6 +- Resolves: #1115489 - build with python 3.x for fedora >= 22 + +* Thu Aug 21 2014 Kevin Fenzi - 1.4.22-5 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.4.22-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.4.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 01 2014 Paul Wouters - 1.4.22-2 +- Added flushcache patch (SVN commit 3125) + +* Thu Mar 13 2014 Paul Wouters - 1.4.22-1 +- Updated to 1.4.22 +- No longer requires the ldns library + +* Thu Jan 16 2014 Tomas Hozza - 1.4.21-3 +- Fix segfault on adding insecure forward zone when using only iterator (#1054192) + +* Mon Oct 21 2013 Tomas Hozza - 1.4.21-2 +- run test suite during the build + +* Thu Sep 19 2013 Paul Wouters - 1.4.21-1 +- Updated to 1.4.21, +- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit) +- Removed patched merged in by upstream +- Enable statistics-cumulative for munin-plugin +- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions +- Updated unbound.conf + +* Mon Aug 26 2013 Tomas Hozza - 1.4.20-19 +- Fix errors found by static analysis of source + +* Mon Aug 12 2013 Paul Wouters - 1.4.20-18 +- Change unbound.conf to only use ephemeral ports (32768-65535) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.4.20-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Jul 22 2013 Tomas Hozza - 1.4.20-16 +- provide man page for unbound-streamtcp + +* Mon Jul 08 2013 Paul Wouters - 1.4.20-15 +- Re-introduce hardening flags for full relro and pie +- Fixes compilation failure for python module + +* Wed Jul 03 2013 Tomas Hozza - 1.4.20-14 +- remove missing unbound-rootkey.service from post/preun/postun sections +- don't hardcode hardening flags, let hardened build macro handles it + +* Sat Jun 01 2013 Paul Wouters - 1.4.20-13 +- Run unbound-anchor as user unbound in unbound.service + +* Tue May 28 2013 Paul Wouters - 1.4.20-12 +- Enable round-robin (with noths() patch) +- Change cron and systemd service to use root.key, not root.anchor + +* Sat May 25 2013 Paul Wouters - 1.4.20-10 +- Use /var/lib/unbound/root.key (more consistent with other distros) +- Enable minimal responses + +* Mon Apr 22 2013 Paul Wouters - 1.4.20-8 +- Refix + +* Fri Apr 19 2013 Paul Wouters - 1.4.20-7 +- Fix runuser call in post. + +* Tue Apr 16 2013 Paul Wouters - 1.4.20-6 +- /var/lib/unbound should be owned by unbound. group write is not enough + +* Fri Apr 12 2013 Paul Wouters - 1.4.20-5 +- Fix cron job syntax (rhbz#951725) +- Use install -p to prevent .rpmnew files that are identical to originals + +* Mon Apr 8 2013 Paul Wouters - 1.4.20-4 +- Updated to 1.4.20 +- Build with full RELRO (not use -z,relro but with -z,relo,-z,now) +- Fixup man page for unbound-control-setup +- unbound.service should start before nss-lookup.target (rhbz#919955) +- Removed patch for rhbz#888759 merged in upstream +- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008) +- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs +- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691) +- Remove Obsolete/Provides for dnssec-conf which was last seen in f13 +- Ensure any unbound-anchor failure in post is ignored + +* Tue Mar 05 2013 Adam Tkac - 1.4.19-5 +- build with full RELRO +- symlink unbound-control-setup.8 manpage to unbound-control.8 + +* Fri Feb 15 2013 Fedora Release Engineering - 1.4.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 12 2012 Paul Wouters - 1.4.19-3 +- Updated to 1.4.19 - this integrates all existing patches +- Patch for unbound-anchor (rhbz#888759) + +* Fri Nov 09 2012 Paul Wouters - 1.4.18-6 +- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd +- added unbound-munin.README file + +* Wed Sep 26 2012 Paul Wouters - 1.4.18-5 +- Patch to allow wildcards in include: statements +- Add directories /etc/unbound/keys.d,conf.d,local.d with + example entries +- Added /etc/unbound/root.anchor, maintained by unbound-anchor + which is installed as monthly cron and PreExec in systemd config + (root.key is unused, but left installed in case people depend on it) +- Native systemd (simple) and /etc/sysconfig/unbound support +- Run unbound-checkconf in PreExec +- Moved trust anchor related files to unbound-libs, as they can + be used without the daemon. +- sub packages now depends on base package of same arch +- Build munin package as noarch +- unbound-anchor moved to unbound-libs package. It is needed + to update the root.anchor key file. + +* Tue Sep 04 2012 Paul Wouters - 1.4.18-3 +- Fix openssl thread locking bug under high query load + +* Thu Aug 23 2012 Paul Wouters - 1.4.18-2 +- Use new systemd-rpm macros (rhbz#850351) +- Clean up old obsoleted dnssec-conf from < fedora 15 + +* Fri Aug 03 2012 Paul Wouters - 1.4.18-1 +- Updated to 1.4.18 (FIPS related fixes mostly) +- Removed patches that were merged in upstream +- Added comment to root.key + +* Mon Jul 23 2012 Paul Wouters - 1.4.17-5 +- Fix for unbound crasher (upstream bug #452) +- Support libunbound functions in man pages and place in -devel + +* Sun Jul 22 2012 Fedora Release Engineering - 1.4.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue Jul 03 2012 Paul Wouters - 1.4.17-3 +- unbound FIPS patches for MD5,randomness (rhbz#835106) + +* Fri Jun 15 2012 Adam Tkac - 1.4.17-2 +- don't build unbound-munin on RHEL + +* Thu May 24 2012 Paul Wouters - 1.4.17-1 +- Updated to 1.4.17 (which mostly brings in patches we already + applied from svn trunk) + +* Wed Feb 29 2012 Paul Wouters - 1.4.16-3 +- Since the daemon links to the libs staticly, add Requires: + (this is rhbz#745288) +- Package up streamtcp as unbound-streamtcp (for monitoring) + +* Mon Feb 27 2012 Paul Wouters - 1.4.16-2 +- Don't ghost the directory (rhbz#788805) +- Patch for unbound to support unbound-control forward_zone + (needed for openswan in XAUTH mode) + +* Thu Feb 02 2012 Paul Wouters - 1.4.16-1 +- Upgraded to 1.4.16, which was relesed due to the soname + and some DNSSEC validation failures + +* Wed Feb 01 2012 Paul Wouters - 1.4.15-2 +- Patch for SONAME version (libtool's -version-number vs -version-info) + +* Fri Jan 27 2012 Paul Wouters - 1.4.15-1 +- Upgraded to 1.4.15 +- Updated unbound.conf to show how to configure listening on tls443 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.4.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Dec 19 2011 Paul Wouters - 1.4.14-1 +- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659 +- SSL-wrapped query support for dnssec-trigger +- EDNS handling changes +- Removed integrated EDNS patches +- Disabled use-caps-for-id, GoDaddy domains now break on it +- Enabled new harden-below-nxdomain + +* Thu Sep 15 2011 Paul Wouters - 1.4.13-1 +- Upgraded to 1.4.13 +- Removed merged in pythonmod patch +- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks +- Fix python to go into sitearch instead of sitelib + +* Wed Sep 14 2011 Tom Callaway - 1.4.12-4 +- convert to systemd, tmpfiles.d + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-3 +- Added pythonmod docs and examples + +* Mon Aug 08 2011 Paul Wouters - 1.4.12-2 +- Fix for python module load in the server (Tom Hendrikx) +- No longer enable --enable-debug as it causes degraded performance + under load. + +* Mon Jul 18 2011 Paul Wouters - 1.4.12-1 +- Updated to 1.4.12 + +* Sun Jul 03 2011 Paul Wouters - 1.4.11-1 +- Updated to 1.4.11 +- removed integrated CVE patch +- updated stock unbound.conf for new options introduced + +* Mon Jun 06 2011 Paul Wouters - 1.4.10-1 +- Added ghost for /var/run/unbound (bz#656710) + +* Mon Jun 06 2011 Paul Wouters - 1.4.9-3 +- rebuilt + +* Wed May 25 2011 Paul Wouters - 1.4.9-2 +- Applied patch for CVE-2011-1922 DoS vulnerability + +* Sun Mar 27 2011 Paul Wouters - 1.4.9-1 +- Updated to 1.4.9 + +* Sat Feb 12 2011 Paul Wouters - 1.4.8-2 +- rebuilt + +* Tue Jan 25 2011 Paul Wouters - 1.4.8-1 +- Updated to 1.4.8 +- Enable root key for DNSSEC +- Fix unbound-munin to use proper file (could cause excessive logging) +- Build unbound-python per default +- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-4 +- Revert last build - it was on the wrong branch + +* Tue Oct 26 2010 Paul Wouters - 1.4.5-3 +- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines + (see comments in inbound.conf) + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-2 +- Bump release - forgot to upload the new tar ball. + +* Tue Jun 15 2010 Paul Wouters - 1.4.5-1 +- Upgraded to 1.4.5 + +* Mon May 31 2010 Paul Wouters - 1.4.4-2 +- Added accidentally omitted svn patches to cvs + +* Mon May 31 2010 Paul Wouters - 1.4.4-1 +- Upgraded to 1.4.4 with svn patches +- Obsolete dnssec-conf to ensure it is de-installed + +* Thu Mar 11 2010 Paul Wouters - 1.4.3-1 +- Update to 1.4.3 that fixes 64bit crasher + +* Tue Mar 09 2010 Paul Wouters - 1.4.2-1 +- Updated to 1.4.2 +- Updated unbound.conf with new options +- Enabled pre-fetching DNSKEY records (DNSSEC speedup) +- Enabled re-fetching popular records before they expire +- Enabled logging of DNSSEC validation errors + +* Mon Mar 01 2010 Paul Wouters - 1.4.1-5 +- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues + with pthreads + +* Wed Feb 24 2010 Paul Wouters - 1.4.1-3 +- Change make/configure lines to attempt to fix -lphtread linking issue + +* Thu Feb 18 2010 Paul Wouters - 1.4.1-2 +- Removed dependancy for dnssec-conf +- Added ISC DLV key (formerly in dnssec-conf) +- Fixup old DLV locations in unbound.conf file via %%post +- Fix parent child disagreement handling and no-ipv6 present [svn r1953] + +* Tue Jan 05 2010 Paul Wouters - 1.4.1-1 +- Updated to 1.4.1 +- Changed %%define to %%global + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-2 +- Bump version + +* Thu Oct 08 2009 Paul Wouters - 1.3.4-1 +- Upgraded to 1.3.4. Security fix with validating NSEC3 records + +* Fri Aug 21 2009 Tomas Mraz - 1.3.3-2 +- rebuilt with new openssl + +* Mon Aug 17 2009 Paul Wouters - 1.3.3-1 +- Updated to 1.3.3 + +* Sun Jul 26 2009 Fedora Release Engineering - 1.3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-2 +- Added missing glob patch to cvs +- Place python macros within the %%with_python check + +* Sat Jun 20 2009 Paul Wouters - 1.3.0-1 +- Updated to 1.3.0 +- Added unbound-python sub package. disabled for now +- Patch from svn to fix DLV lookups +- Patches from svn to detect wrong truncated response from BIND 9.6.1 with + minimal-responses) +- Added Default-Start and Default-Stop to unbound.init +- Re-enabled --enable-sha2 +- Re-enabled glob.patch + +* Wed May 20 2009 Paul Wouters - 1.2.1-7 +- unbound-iterator.patch was not commited + +* Wed May 20 2009 Paul Wouters - 1.2.1-6 +- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793 + +* Tue Mar 17 2009 Paul Wouters - 1.2.1-5 +- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys + +* Tue Mar 10 2009 Adam Tkac - 1.2.1-4 +- enable DNSSEC only if it is enabled in sysconfig/dnssec + +* Mon Mar 09 2009 Adam Tkac - 1.2.1-3 +- add DNSSEC support to initscript and enabled it per default +- add requires dnssec-conf + +* Wed Feb 25 2009 Fedora Release Engineering - 1.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 10 2009 Paul Wouters - 1.2.0-2 +- rebuild with new openssl + +* Wed Jan 14 2009 Paul Wouters - 1.1.1-7 +- Modified scandir patch to silently fail when wildcard matches nothing +- Patch to allow unbound-checkconf to find empty wildcard matches + +* Mon Jan 5 2009 Paul Wouters - 1.1.1-6 +- Added scandir patch for trusted-keys-file: option, which + is used to load multiple dnssec keys in bind file format + +* Mon Dec 8 2008 Paul Wouters - 1.1.1-4 +- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules. + +* Mon Dec 1 2008 Paul Wouters - 1.1.1-3 +- We did not own the /etc/unbound directory (#474020) +- Fixed cvs anomalies + +* Fri Nov 28 2008 Adam Tkac - 1.1.1-2 +- removed all obsolete chroot related stuff +- label control certs after generation correctly + +* Thu Nov 20 2008 Paul Wouters - 1.1.1-1 +- Updated to unbound 1.1.1 which fixes a crasher and + addresses nlnetlabs bug #219 + +* Wed Nov 19 2008 Paul Wouters - 1.1.0-3 +- Remove the chroot, obsoleted by SElinux +- Add additional munin plugin links supported by unbound plugin +- Move configuration directory from /var/lib/unbound to /etc/unbound +- Modified unbound.init and unbound.conf to account for chroot changes +- Updated unbound.conf with new available options +- Enabled dns-0x20 protection per default + +* Wed Nov 19 2008 Adam Tkac - 1.1.0-2 +- unbound-1.1.0-log_open.patch + - make sure log is opened before chroot call + - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219 +- removed /dev/log and /var/run/unbound and /etc/resolv.conf from + chroot, not needed +- don't mount files in chroot, it causes problems during updates +- fixed typo in default config file + +* Fri Nov 14 2008 Paul Wouters - 1.1.0-1 +- Updated to version 1.1.0 +- Updated unbound.conf's statistics options and remote-control + to work properly for munin +- Added unbound-munin package +- Generate unbound remote-control key/certs on first startup +- Required ldns is now 1.4.0 + +* Wed Oct 22 2008 Paul Wouters - 1.0.2-5 +- Only call ldconfig in -libs package +- Move configure into build section +- devel subpackage should only depend on libs subpackage + +* Tue Oct 21 2008 Paul Wouters - 1.0.2-4 +- Fix CFLAGS getting lost in build +- Don't enable interface-automatic:yes because that + causes unbound to listen on 0.0.0.0 instead of 127.0.0.1 + +* Sun Oct 19 2008 Paul Wouters - 1.0.2-3 +- Split off unbound-libs, make build verbose + +* Thu Oct 9 2008 Paul Wouters - 1.0.2-2 +- FSB compliance, chroot fixes, initscript fixes + +* Thu Sep 11 2008 Paul Wouters - 1.0.2-1 +- Upgraded to 1.0.2 + +* Wed Jul 16 2008 Paul Wouters - 1.0.1-1 +- upgraded to new release + +* Wed May 21 2008 Paul Wouters - 1.0.0-2 +- Build against ldns-1.3.0 + +* Wed May 21 2008 Paul Wouters - 1.0.0-1 +- Split of -devel package, fixed dependancies, make rpmlint happy + +* Fri Apr 25 2008 Wouter Wijngaards - 0.12 +- Using parts from ports collection entry by Jaap Akkerhuis. +- Using Fedoraproject wiki guidelines. + +* Wed Apr 23 2008 Wouter Wijngaards - 0.11 +- Initial version.