diff --git a/.gitignore b/.gitignore index 91e53cc..5c781e9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/unbound-1.13.1.tar.gz +SOURCES/unbound-1.16.2.tar.gz diff --git a/.unbound.metadata b/.unbound.metadata index 18eae4c..c8b7a90 100644 --- a/.unbound.metadata +++ b/.unbound.metadata @@ -1 +1 @@ -561522b06943f6d1c33bd78132db1f7020fc4fd1 SOURCES/unbound-1.13.1.tar.gz +9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz diff --git a/SOURCES/icannbundle.pem b/SOURCES/icannbundle.pem index d76ce0b..ceeef5b 100644 --- a/SOURCES/icannbundle.pem +++ b/SOURCES/icannbundle.pem @@ -1,59 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Dec 23 04:19:12 2009 GMT - Not After : Dec 18 04:19:12 2029 GMT - Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: - bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: - 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: - 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: - fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: - 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: - e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: - d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: - e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: - 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: - 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: - ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: - 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: - 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: - 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: - 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: - 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: - 85:41 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - Signature Algorithm: sha256WithRSAEncryption - 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: - 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: - c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: - b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: - 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: - 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: - 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: - 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: - 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: - 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: - c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: - 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: - 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: - 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: - e7:40:61:a4 -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV @@ -75,163 +19,3 @@ DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH 0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk -----END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 11 (0xb) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:39:47 2016 GMT - Not After : Nov 6 23:39:47 2026 GMT - Subject: O=ICANN, CN=ICANN EMAIL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: - 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: - c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: - 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: - 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: - fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: - a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: - 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: - db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: - d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: - 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: - 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: - b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: - d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: - 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: - fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: - 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: - 4d:b1 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 - Signature Algorithm: sha256WithRSAEncryption - 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18: - 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87: - 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af: - 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4: - 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d: - 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71: - e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e: - b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd: - d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46: - ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd: - 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff: - 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e: - 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b: - e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf: - be:7e:36:be ------BEGIN CERTIFICATE----- -MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX -DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O -IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz -9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 -jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 -LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 -ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK -VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI -QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU -ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj -tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr -SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE -lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb -CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0 -DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI -SMNGv75+Nr4= ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10 (0xa) - Signature Algorithm: sha256WithRSAEncryption - Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US - Validity - Not Before: Nov 8 23:38:16 2016 GMT - Not After : Nov 6 23:38:16 2026 GMT - Subject: O=ICANN, CN=ICANN SSL CA - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: - 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: - 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: - e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: - 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: - 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: - dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: - 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: - f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: - d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: - f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: - 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: - 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: - 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: - e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: - 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: - 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: - e2:c5 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Authority Key Identifier: - keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 - - X509v3 Subject Key Identifier: - 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 - Signature Algorithm: sha256WithRSAEncryption - 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4: - 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97: - cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69: - 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54: - 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08: - 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e: - fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81: - e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88: - f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d: - c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a: - 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50: - 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e: - 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a: - 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99: - 2d:70:f2:08 ------BEGIN CERTIFICATE----- -MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO -TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV -BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX -DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O -IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z -K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 -VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo -nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz -kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 -yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H -kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 -qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8 -K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq -tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR -Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU -C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC -jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur -T5ktcPII ------END CERTIFICATE----- diff --git a/SOURCES/unbound-1.13.1-rh1952814.patch b/SOURCES/unbound-1.13.1-rh1952814.patch deleted file mode 100644 index 261ed20..0000000 --- a/SOURCES/unbound-1.13.1-rh1952814.patch +++ /dev/null @@ -1,204 +0,0 @@ -diff --git a/config.h.in b/config.h.in -index 103ad9f..0bb29d9 100644 ---- a/config.h.in -+++ b/config.h.in -@@ -847,6 +847,14 @@ - /* Define if you enable libevent */ - #undef USE_LIBEVENT - -+/* WARNING! This is only for the libunbound on Linux and does not affect -+ unbound resolving daemon itself. This may severely limit the number of -+ available outgoing ports and thus decrease randomness. Define this only -+ when the target system restricts (e.g. some of SELinux enabled -+ distributions) the use of non-ephemeral ports. Define this to enable use of -+ /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range. */ -+#undef USE_LINUX_IP_LOCAL_PORT_RANGE -+ - /* Define if you want to use internal select based events */ - #undef USE_MINI_EVENT - -diff --git a/configure b/configure -index c91e8a3..826dce9 100755 ---- a/configure -+++ b/configure -@@ -898,6 +898,7 @@ enable_ipsecmod - enable_ipset - with_libmnl - enable_explicit_port_randomisation -+enable_linux_ip_local_port_range - with_libunbound_only - ' - ac_precious_vars='build_alias -@@ -1590,6 +1591,16 @@ Optional Features: - --disable-explicit-port-randomisation - disable explicit source port randomisation and rely - on the kernel to provide random source ports -+ --enable-linux-ip-local-port-range -+ WARNING! This is only for the libunbound on Linux -+ and does not affect unbound resolving daemon itself. -+ This may severely limit the number of available -+ outgoing ports and thus decrease randomness. Use -+ this option only when the target system restricts -+ the use of non-ephemeral ports. (e.g. some of -+ SELinux enabled distributions) Enable this option to -+ use /proc/sys/net/ipv4/ip_local_port_range as a -+ default outgoing port range - - Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] -@@ -4202,6 +4213,13 @@ else - else on_mingw="no"; fi - fi - -+# are we on Linux? -+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" -+else -+ if echo $host $target | grep linux >/dev/null; then on_linux="yes" -+ else on_linux="no"; fi -+fi -+ - # - # Determine configuration file - # the eval is to evaluate shell expansion twice -@@ -21588,6 +21606,23 @@ $as_echo "#define DISABLE_EXPLICIT_PORT_RANDOMISATION 1" >>confdefs.h - ;; - esac - -+if test $on_linux = "yes"; then -+ # Check whether --enable-linux-ip-local-port-range was given. -+if test "${enable_linux_ip_local_port_range+set}" = set; then : -+ enableval=$enable_linux_ip_local_port_range; -+fi -+ -+ case "$enable_linux_ip_local_port_range" in -+ yes) -+ -+$as_echo "#define USE_LINUX_IP_LOCAL_PORT_RANGE 1" >>confdefs.h -+ -+ ;; -+ no|*) -+ ;; -+ esac -+fi -+ - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 - $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } -diff --git a/configure.ac b/configure.ac -index 2d88048..1207047 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -152,6 +152,13 @@ else - else on_mingw="no"; fi - fi - -+# are we on Linux? -+if uname -s 2>&1 | grep -i linux >/dev/null; then on_linux="yes" -+else -+ if echo $host $target | grep linux >/dev/null; then on_linux="yes" -+ else on_linux="no"; fi -+fi -+ - # - # Determine configuration file - # the eval is to evaluate shell expansion twice -@@ -1847,6 +1854,17 @@ case "$enable_explicit_port_randomisation" in - ;; - esac - -+if test $on_linux = "yes"; then -+ AC_ARG_ENABLE(linux-ip-local-port-range, AC_HELP_STRING([--enable-linux-ip-local-port-range], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Use this option only when the target system restricts the use of non-ephemeral ports. (e.g. some of SELinux enabled distributions) Enable this option to use /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range])) -+ case "$enable_linux_ip_local_port_range" in -+ yes) -+ AC_DEFINE([USE_LINUX_IP_LOCAL_PORT_RANGE], [1], [WARNING! This is only for the libunbound on Linux and does not affect unbound resolving daemon itself. This may severely limit the number of available outgoing ports and thus decrease randomness. Define this only when the target system restricts (e.g. some of SELinux enabled distributions) the use of non-ephemeral ports. Define this to enable use of /proc/sys/net/ipv4/ip_local_port_range as a default outgoing port range.]) -+ ;; -+ no|*) -+ ;; -+ esac -+fi -+ - - AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) - # on openBSD, the implicit rule make $< work. -diff --git a/libunbound/context.c b/libunbound/context.c -index cff2831..48d76d9 100644 ---- a/libunbound/context.c -+++ b/libunbound/context.c -@@ -69,6 +69,7 @@ context_finalize(struct ub_ctx* ctx) - } else { - log_init(cfg->logfile, cfg->use_syslog, NULL); - } -+ cfg_apply_local_port_policy(cfg, 65536); - config_apply(cfg); - if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) - return UB_INITFAIL; -diff --git a/util/config_file.c b/util/config_file.c -index 4d87dee..6b90e48 100644 ---- a/util/config_file.c -+++ b/util/config_file.c -@@ -1681,6 +1681,37 @@ int cfg_condense_ports(struct config_file* cfg, int** avail) - return num; - } - -+void cfg_apply_local_port_policy(struct config_file* cfg, int num) { -+(void)cfg; -+(void)num; -+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE -+ { -+ int i = 0; -+ FILE* range_fd; -+ if ((range_fd = fopen(LINUX_IP_LOCAL_PORT_RANGE_PATH, "r")) != NULL) { -+ int min_port = 0; -+ int max_port = num - 1; -+ if (fscanf(range_fd, "%d %d", &min_port, &max_port) == 2) { -+ for(i=0; ioutgoing_avail_ports[i] = 0; -+ } -+ for(i=max_port+1; ioutgoing_avail_ports[i] = 0; -+ } -+ } else { -+ log_err("unexpected port range in %s", -+ LINUX_IP_LOCAL_PORT_RANGE_PATH); -+ } -+ fclose(range_fd); -+ } else { -+ log_warn("failed to read from file: %s (%s)", -+ LINUX_IP_LOCAL_PORT_RANGE_PATH, -+ strerror(errno)); -+ } -+ } -+#endif -+} -+ - /** print error with file and line number */ - static void ub_c_error_va_list(const char *fmt, va_list args) - { -diff --git a/util/config_file.h b/util/config_file.h -index 7cf27cc..d091ef7 100644 ---- a/util/config_file.h -+++ b/util/config_file.h -@@ -1172,6 +1172,13 @@ int cfg_mark_ports(const char* str, int allow, int* avail, int num); - */ - int cfg_condense_ports(struct config_file* cfg, int** avail); - -+/** -+ * Apply system specific port range policy. -+ * @param cfg: config file. -+ * @param num: size of the array (65536). -+ */ -+void cfg_apply_local_port_policy(struct config_file* cfg, int num); -+ - /** - * Scan ports available - * @param avail: the array from cfg. -@@ -1301,5 +1308,9 @@ void w_config_adjust_directory(struct config_file* cfg); - /** debug option for unit tests. */ - extern int fake_dsa, fake_sha1; - -+#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE -+#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" -+#endif -+ - #endif /* UTIL_CONFIG_FILE_H */ - diff --git a/SOURCES/unbound-1.13.1-rh1977400.patch b/SOURCES/unbound-1.13.1-rh1977400.patch deleted file mode 100644 index 6447e5e..0000000 --- a/SOURCES/unbound-1.13.1-rh1977400.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/util/net_help.c b/util/net_help.c -index 3b5527a..42a7666 100644 ---- a/util/net_help.c -+++ b/util/net_help.c -@@ -1172,6 +1172,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) - if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & - SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { - log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); -+ SSL_CTX_free(ctx); - return 0; - } - #endif diff --git a/SOURCES/unbound-1.13.1-rh1977401.patch b/SOURCES/unbound-1.13.1-rh1977401.patch deleted file mode 100644 index 4c4c42d..0000000 --- a/SOURCES/unbound-1.13.1-rh1977401.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/dns64/dns64.c b/dns64/dns64.c -index c79bc9c..fddbc62 100644 ---- a/dns64/dns64.c -+++ b/dns64/dns64.c -@@ -685,8 +685,12 @@ dns64_operate(struct module_qstate* qstate, enum module_ev event, int id, - switch(event) { - case module_event_new: - /* Tag this query as being new and fall through. */ -- iq = (struct dns64_qstate*)regional_alloc( -- qstate->region, sizeof(*iq)); -+ if (!(iq = (struct dns64_qstate*)regional_alloc( -+ qstate->region, sizeof(*iq)))) { -+ log_err("out of memory"); -+ qstate->ext_state[id] = module_error; -+ return; -+ } - qstate->minfo[id] = iq; - iq->state = DNS64_NEW_QUERY; - iq->started_no_cache_store = qstate->no_cache_store; diff --git a/SOURCES/unbound-1.13.1-rh1991005.patch b/SOURCES/unbound-1.13.1-rh1991005.patch deleted file mode 100644 index 01264ca..0000000 --- a/SOURCES/unbound-1.13.1-rh1991005.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c -index d58f1b2..5bfe15b 100644 ---- a/smallapp/unbound-control.c -+++ b/smallapp/unbound-control.c -@@ -492,9 +492,7 @@ static void ssl_path_err(const char* s, const char *path) - { - unsigned long err; - err = ERR_peek_error(); -- if (ERR_GET_LIB(err) == ERR_LIB_SYS && -- (ERR_GET_FUNC(err) == SYS_F_FOPEN || -- ERR_GET_FUNC(err) == SYS_F_FREAD) ) { -+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) { - fprintf(stderr, "error: %s\n%s: %s\n", - s, path, ERR_reason_error_string(err)); - exit(1); diff --git a/SOURCES/unbound-1.13.1.tar.gz.asc b/SOURCES/unbound-1.13.1.tar.gz.asc deleted file mode 100644 index 8124842..0000000 --- a/SOURCES/unbound-1.13.1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmAiOawACgkQn28cLX4E -X40R5A//ex9Fe0bR/JQNcpXAFMZ8Wvj7KOW+2VhUsPqVL8s3Iew/hlIqlmP4/dIG -htygqy8I1VbyIQIJ7HSkQderPLMjyDw7+K7fCNhzzPZO+OMAiXsSslvKXrCBClGI -1MOAPsKpfV9C9yf4w8t5orvvxHlw21Vqnh9LTcAQekw1+NhCUw3uiLuIkyU4RLS8 -LYdlWOuVhOe6cmR4XTZPGR8zlMZ7Owzgi+o3+g1Gknsr09B28ttJe9LuOg3jHp6I -LKRpROGZs+8iqYylb85mfEIwRO1lpj+k9D4A+CnJyhY9nUP4k9b/Ywe6qS16yWAs -s8mzZtAjAgrRCsM+C6hwVo0I2P9mVVy9WfFHNt1Mp4P4XdPbSc2CXLfyBfNkx1ty -kMnGBiehHC9oZ4QAwTnJ/Bevi0C5OlRt9BIVwvA0ymWGOOHXE4i2SxhUWMEx399s -2Uqpr3mBd0ZO0HRvKNOY14vF/O1ja+oNTPvnMJyzZKUeTRRHaKF1dr3fNrXlACtE -GgHihHGaVSM1PA5z4S5Jo6PuZqwn+QBCUYhjFjlsF5d6h8srksxJAnh4GbPRJiUl -AJEUSCQFOk6dJmrWVLDa+MP003T5DfouJzQX5WZr+M5fNVD1xhZs49Ea4ATSZPrw -SM+/n+G/UlFue89qqvCrTMErNBXKINRZlir7yIi4UsEiyDUal2E= -=n/aJ ------END PGP SIGNATURE----- diff --git a/SOURCES/unbound-1.16.2.tar.gz.asc b/SOURCES/unbound-1.16.2.tar.gz.asc new file mode 100644 index 0000000..0f94fb9 --- /dev/null +++ b/SOURCES/unbound-1.16.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE7fqj8spObrBWga+On28cLX4EX40FAmLnudYACgkQn28cLX4E +X43GmRAAoROXbktLR2AXGEECgPCFlHag9oNZosa3J5yR2vaV4e8eA6AMzPyZbl7P +LnLon8PZZR+pTW+dDRqakvzJIwXkLeONFgEdvd0cAghWAtPrKCDZIkCyeQj0OOv3 +wt1pRRl2PXUKNZZf0bzpTUIhVsHF/w5f5T/mFAZm49rUDboj77xgokmaFK4kei0I +Gz4W8Vx3TIwwJc8nea8GtCYIg3UKmR/TMznMFExAoKdMllzKuJnGx5lR/eU0+NRc +uwWEQhNJrHXZyWethp9swLCrOmDHcgBJOd04TqcDwSIZrw9VuT3/Uza3Tw73N7kr +PZvF2xSOASL+i91QP6tnkmQD5pAORVpUFN3NePEWV5922iG/pVipaYBbEyV3dfph +Y4QGwj8G6ppcfjV7gmlxsAOM2gnhD3rDqFmkxau6zB1kktHnV2aqlzIQo396ZBJQ +hKyIAJlNvpTiFaACD7/cFkE80awJnCD/qvXATN//BWHKytgO8eYg7fZGrxjbpIQk +XV/vVlOJWRXPyPBnp8MQyCIDe2eq2ELlMfYw62/TNDuj2qKsM/W03cem3GlveOa6 +tw8RVfFFjwZlCLbXSbmsKo+mWJ3jCAvb3/gql52vJDE5FuRz7MvptIVU6DVE1O+J +mQ3AoQ2Mq9iHsZePfze4sq531DMlWTgBMwqfBTWqMaTC/8VH5rg= +=Ax9n +-----END PGP SIGNATURE----- diff --git a/SOURCES/unbound-keygen.service b/SOURCES/unbound-keygen.service index f5e6535..b169002 100644 --- a/SOURCES/unbound-keygen.service +++ b/SOURCES/unbound-keygen.service @@ -13,7 +13,6 @@ Type=oneshot Group=unbound ExecStart=/usr/sbin/unbound-control-setup -d /etc/unbound/ ExecStart=/sbin/restorecon /etc/unbound/* -RemainAfterExit=yes [Install] WantedBy=multi-user.target diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index e414f9c..977d39f 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -98,14 +98,14 @@ server: # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-60999 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -238,7 +238,7 @@ server: # do-ip6: yes # Enable UDP, "yes" or "no". - # NOTE: if setting up an unbound on tls443 for public use, you might want to + # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes @@ -275,7 +275,7 @@ server: # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -328,7 +328,7 @@ server: # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -393,18 +393,28 @@ server: # enable to not answer version.server and version.bind queries. # hide-version: no - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no + # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # User-Agent HTTP header to use. Leave "" or default to use package name + # and version. + # http-user-agent: "" + # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency @@ -532,7 +542,7 @@ server: # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -584,6 +594,10 @@ server: # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 + # The maximum number the validator should restart validation with + # another authority in case of failed validation. + # val-max-restart: 5 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -599,7 +613,7 @@ server: val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -616,7 +630,7 @@ server: # that the expired records will be served as long as there are queries # for it. # serve-expired-ttl-reset: no - + # # TTL value to use when replying with expired data. # serve-expired-reply-ttl: 30 # @@ -629,7 +643,7 @@ server: # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -642,7 +656,10 @@ server: # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" + + # if enabled, ZONEMD verification failures do not block the zone. + # zonemd-permissive-mode: no # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -719,9 +736,9 @@ server: # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -795,6 +812,10 @@ server: # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" # cipher setting for TLSv1.3 # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + # TODO: ask system-wide crypto people what to use here + #tls-ciphersuites: "PROFILE=SYSTEM" # does not work # Pad responses to padded queries received over TLS # pad-responses: yes @@ -901,7 +922,7 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -915,7 +936,7 @@ server: # ipsecmod-hook: "./my_executable" ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -931,6 +952,13 @@ server: # ipsecmod-allow: "example.com" # ipsecmod-allow: "nlnetlabs.nl" + # Timeout for REUSE entries in milliseconds. + # tcp-reuse-timeout: 60000 + # Max number of queries on a reuse connection. + # max-reuse-tcp-queries: 200 + # Timeout in milliseconds for TCP queries to auth servers. + # tcp-auth-query-timeout: 3000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -941,6 +969,17 @@ python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. @@ -966,10 +1005,10 @@ remote-control: # For local sockets this option is ignored, and TLS is not used. control-use-cert: "no" - # unbound server key file. + # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. @@ -1036,29 +1075,32 @@ include: /etc/unbound/conf.d/*.conf # notifies. auth-zone: name: "." + primary: 199.9.14.201 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2001:500:200::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes for-downstream: no for-upstream: yes - fallback-enabled: yes - master: 199.9.14.201 # b.root-servers.net - master: 192.33.4.12 # c.root-servers.net - master: 199.7.91.13 # d.root-servers.net - master: 192.5.5.241 # f.root-servers.net - master: 192.112.36.4 # g.root-servers.net - master: 193.0.14.129 # k.root-servers.net - master: 192.0.47.132 # xfr.cjr.dns.icann.org - master: 192.0.32.132 # xfr.lax.dns.icann.org - master: 2001:500:200::b # b.root-servers.net - master: 2001:500:2::c # c.root-servers.net - master: 2001:500:2d::d # d.root-servers.net - master: 2001:500:2f::f # f.root-servers.net - master: 2001:500:12::d0d # g.root-servers.net - master: 2001:7fd::1 # k.root-servers.net - master: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org - master: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + # auth-zone: # name: "example.org" # for-downstream: yes # for-upstream: yes +# zonemd-check: no +# zonemd-reject-absence: no # zonefile: "example.org.zone" # Views @@ -1083,7 +1125,7 @@ auth-zone: # # DNSCrypt # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1123,7 +1165,7 @@ auth-zone: # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# Note: To enable ipset Unbound needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1146,7 +1188,7 @@ auth-zone: # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1166,10 +1208,11 @@ auth-zone: # dnstap-log-forwarder-response-messages: no # Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME and Response IP -# Address trigger are the only supported triggers. Supported actions are: -# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from -# file, using zone transfer, or using HTTP. The respip module needs to be added +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added # to the module-config, e.g.: module-config: "respip validator iterator". # rpz: # name: "rpz.example.com" @@ -1181,4 +1224,6 @@ auth-zone: # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example" diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index e07bbea..079bbc3 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -20,13 +20,6 @@ %if 0%{?rhel} %global with_munin 0 -%if 0%{?with_python2} && 0%{?rhel} <= 6 -# needed just for EPEL -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} -%endif - %if 0%{?rhel} <= 7 %global with_python3 0 %else @@ -36,8 +29,8 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.13.1 -Release: 12%{?extra_version:.%{extra_version}}%{?dist} +Version: 1.16.2 +Release: 2%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: https://nlnetlabs.nl/projects/unbound/ Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz @@ -60,11 +53,6 @@ Source17: unbound-anchor.service Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc Source19: http://keys.gnupg.net/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key -# rhbz#1952814 upstream PR https://github.com/NLnetLabs/unbound/pull/415/files -Patch1: unbound-1.13.1-rh1952814.patch -Patch2: unbound-1.13.1-rh1991005.patch -Patch3: unbound-1.13.1-rh1977400.patch -Patch4: unbound-1.13.1-rh1977401.patch BuildRequires: gcc, make BuildRequires: flex, openssl-devel @@ -93,12 +81,14 @@ BuildRequires: systemd-rpm-macros %else BuildRequires: systemd %endif -# Required for SVN versions -# BuildRequires: bison -# BuildRequires: automake autoconf libtool +# Required for SVN versions or modified configure.ac +BuildRequires: bison +BuildRequires: automake autoconf libtool # Needed because /usr/sbin/unbound links unbound libs staticly Requires: %{name}-libs%{?_isa} = %{version}-%{release} +# unbound-keygen.service requires it, bug #2116790 +Requires: openssl %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -186,10 +176,10 @@ Python 3 modules and extensions for unbound pushd %{pkgname} # patches go here -%autopatch -p1 +%autopatch -p2 # only for snapshots -# autoreconf -iv +autoreconf -iv # copy common doc files - after here, since it may be patched cp -pr doc pythonmod libunbound ../ @@ -213,7 +203,7 @@ cp -a %{dir_primary} %{dir_secondary} --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ - --enable-linux-ip-local-port-range + --enable-linux-ip-local-port-range --disable-sha1 pushd %{dir_primary} @@ -315,13 +305,7 @@ rm %{buildroot}%{python2_sitearch}/*.la rm %{buildroot}%{python3_sitearch}/*.la %endif -# create softlink for all functions of libunbound man pages -for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; -do - echo ".so man3/libunbound.3" > %{buildroot}%{_mandir}/man3/$mpage ; -done - -mkdir -p %{buildroot}%{_localstatedir}/run/unbound +mkdir -p %{buildroot}%{_rundir}/unbound # Install directories for easier config file drop in @@ -345,7 +329,6 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \ %systemd_post unbound-keygen.service %post libs -%{?ldconfig} %systemd_post unbound-anchor.timer # start the timer only if installing the package to prevent starting it, if it was stopped on purpose if [ "$1" -eq 1 ]; then @@ -365,7 +348,6 @@ fi %systemd_postun unbound-keygen.service %postun libs -%{?ldconfig} %systemd_postun_with_restart unbound-anchor.timer %check @@ -392,7 +374,7 @@ popd %doc doc/CREDITS doc/FEATURES %{_unitdir}/%{name}.service %{_unitdir}/%{name}-keygen.service -%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name} +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} @@ -454,7 +436,9 @@ popd %{_sbindir}/unbound-anchor %{_libdir}/libunbound.so.* %{_mandir}/man8/unbound-anchor* -%{_sysconfdir}/%{name}/icannbundle.pem +# icannbundle and root.key(s) should be replaced from package +# intentionally not using noreplace +%config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} @@ -463,6 +447,38 @@ popd %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %changelog +* Tue Aug 09 2022 Petr Menšík - 1.16.2-2 +- Require openssl tool for unbound-keygen (#2116802) + +* Wed Aug 03 2022 Petr Menšík - 1.16.2-1 +- Update to 1.16.2 (#2087120) + +* Fri Jul 08 2022 Petr Menšík - 1.16.0-3 +- Disable ED25519 and ED448 in FIPS mode (#2079548) + +* Tue Jun 07 2022 Petr Menšík - 1.16.0-2 +- Restart keygen service before every unbound start (#2094336) + +* Sat Jun 04 2022 Petr Menšík - 1.16.0-1 +- Update to 1.16.0 (#2087120) + +* Mon May 02 2022 Petr Menšík - 1.15.0-1 +- Update to 1.15.0 (#2030608) +- Update icannbundle.pem + +* Mon May 02 2022 Paul Wouters - 1.13.2-1 +- Resolves: rhbz#1992985 unbound-1.13.2 is available +- Use system-wide crypto policies + +* Mon May 02 2022 Petr Menšík - 1.13.1-15 +- Export unbound-devel to CRB repository (#2056116) + +* Tue Apr 26 2022 Petr Menšík - 1.13.1-14 +- Stop creating wrong devel manual pages (#2071943) + +* Thu Mar 31 2022 Petr Menšík - 1.13.1-13 +- Disable SHA-1 support (#2070495) + * Fri Feb 11 2022 Artem Egorenkov - 1.13.1-12 - Fixed error in the patch - Resolves: rhbz#1977401