diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes index ea8c036..ce68f91 100644 --- a/libunbound-devel-mini.changes +++ b/libunbound-devel-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller + +- spec-cleaner +- update to 1.15.0 + ------------------------------------------------------------------- Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec index c780c86..33b420c 100644 --- a/libunbound-devel-mini.spec +++ b/libunbound-devel-mini.spec @@ -1,7 +1,7 @@ # # spec file for package libunbound-devel-mini # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,19 +16,28 @@ # +%define ldns_version 1.6.16 %bcond_without python %bcond_without munin %bcond_without hardened_build - -%define ldns_version 1.6.16 - # Name: libunbound-devel-mini -Version: 1.14.0 +Version: 1.15.0 Release: 0 +Summary: Just a devel package for build loops +License: BSD-3-Clause +Group: Productivity/Networking/DNS/Servers +# +URL: https://www.unbound.net/ +Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz +Source1: libunbound-devel-mini-rpmlintrc +Source5: root.key +Source6: dlv.isc.org.key +# From http://data.iana.org/root-anchors/icannbundle.pem +Source12: icannbundle.pem +Source13: root.anchor # # -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel @@ -39,19 +48,6 @@ Requires: this-is-only-for-build-envs Conflicts: libunbound8 Conflicts: unbound-devel Provides: libunbound-devel = %{version}-%{release} -# -URL: https://www.unbound.net/ -Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz -Source1: libunbound-devel-mini-rpmlintrc -Source5: root.key -Source6: dlv.isc.org.key -# From http://data.iana.org/root-anchors/icannbundle.pem -Source12: icannbundle.pem -Source13: root.anchor - -Summary: Just a devel package for build loops -License: BSD-3-Clause -Group: Productivity/Networking/DNS/Servers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -65,7 +61,7 @@ DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. %prep -%setup -n unbound-%version +%setup -q -n unbound-%{version} %build export CFLAGS="%{optflags}" @@ -90,7 +86,7 @@ export CXXFLAGS="%{optflags}" --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \ --disable-explicit-port-randomisation -make %{?_smp_mflags} +%make_build %install %make_install @@ -98,13 +94,12 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la %check # it currently fails in the ldns unit test. which is weird as both come from the same project -make check ||: +%make_build check ||: %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) %{_libdir}/libunbound.so.* %{_includedir}/unbound.h %{_includedir}/unbound-event.h diff --git a/unbound-1.14.0.tar.gz b/unbound-1.14.0.tar.gz deleted file mode 100644 index 3e438d1..0000000 --- a/unbound-1.14.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6ef91cbf02d5299eab39328c0857393de7b4885a2fe7233ddfe3c124ff5a89c8 -size 6152326 diff --git a/unbound-1.15.0.tar.gz b/unbound-1.15.0.tar.gz new file mode 100644 index 0000000..484a4bb --- /dev/null +++ b/unbound-1.15.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f +size 6163470 diff --git a/unbound.changes b/unbound.changes index 42fc1eb..ce68ff5 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,108 @@ +------------------------------------------------------------------- +Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller + +- drop python2 packages +- update to 1.15.0: + This release has bug fixes for crashes that happened on heavy network + usage. The default for the aggressive-nsec option has changed, it is now + enabled. + + The ratelimit logic had to be reworked for the crash fixes. As a result, + there are new options to control the behaviour of ratelimiting. + The ratelimit-backoff and ip-ratelimit-backoff options can be used to + control how severe the backoff is when the ratelimit is exceeded. + + The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for + NXDOMAIN answers from RPZ. That is used by some clients to detect that + the domain is externally blocked. The RPZ option for-downstream can be + used like for auth zones, this allows the RPZ zone information to be queried. + That can be useful for monitoring scripts. + + Features + - Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. + - Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. + - Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. + - Change aggressive-nsec default to yes. + + Bug Fixes + - Fix compile warning for if_nametoindex on windows 64bit. + - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. + - Fix validator debug output about DS support, print correct algorithm. + - Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. + - Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. + - Fix to pick up other class local zone information before unlock. + - Add missing configure flags for optional features in the + documentation. + - Fix Unbound capitalization in the documentation. + - Fix #591: Unbound-anchor manpage links to non-existent license file. + - contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. + - Fix to add test for rpz-signal-nxdomain-ra. + - Fix #596: only unset RA when NXDOMAIN is signalled. + - Fix that RPZ does not set RD flag on replies, it should be copied + from the query. + - Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. + - Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. + - Fix for #596: add unit test for nsdname trigger and signal unset RA. + - Fix for #596: add unit test for nsip trigger and signal unset RA. + - Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. + - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. + - Merge #600 from pemensik: Change file mode before changing file + owner. + - Fix prematurely terminated TCP queries when a reply has the same ID. + - For #602: Allow the module-config "subnetcache validator cachedb + iterator". + - Fix EDNS to upstream where the same option could be attached + more than once. + - Add a region to serviced_query for allocations. + - For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. + - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. + - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. + - Merge PR #612: TCP race condition. + - Test for NSID in SERVFAIL response due to DNSSEC bogus. + - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. + - Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. + - Better cleanup on failed DoT/DoH listening socket creation. + - iana portlist update. + - Fix review comment for use-after-free when failing to send UDP out. + - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. + - Merge PR #532 from Shchelk: Fix: buffer overflow bug. + - Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. + - Update stream_ssl.tdir test to also use the new forward-host + notation. + - Fix header comment for doxygen for authextstrtoaddr. + - please clang analyzer for loop in test code. + - Fix docker splint test to use more portable uname. + - Update contrib/aaaa-filter-iterator.patch with diff for current + software version. + - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + +------------------------------------------------------------------- +Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer + +- Change to systemd-sysusers + ------------------------------------------------------------------- Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder diff --git a/unbound.spec b/unbound.spec index 359e5fe..45480c0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ # # spec file for package unbound # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,42 +21,32 @@ %define _fillupdir /var/adm/fillup-templates %endif -%bcond_without python2 %bcond_without python3 %bcond_without munin %bcond_without hardened_build %bcond_without dnstap %bcond_without systemd -# %define _sharedstatedir /var/lib/ %define ldns_version 1.6.16 -# %define piddir /run Name: unbound -Version: 1.14.0 +Version: 1.15.0 Release: 0 -# -# -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: libsodium-devel BuildRequires: openssl-devel +BuildRequires: sysuser-tools %if %{with dnstap} BuildRequires: libfstrm-devel BuildRequires: libprotobuf-c-devel >= 1.0.0 BuildRequires: protobuf-c >= 1.0.0 %endif -%if %{with python2} -BuildRequires: python-rpm-macros -BuildRequires: python2-devel -BuildRequires: swig -%endif %if %{with python3} BuildRequires: python-rpm-macros BuildRequires: python3-devel @@ -64,7 +54,6 @@ BuildRequires: swig %endif # needed for dns over https BuildRequires: pkgconfig(libnghttp2) - Requires: ldns >= %{ldns_version} # until we figured something else out for the unbound-anchor part in the systemd unit file Requires: sudo @@ -72,7 +61,6 @@ Requires: sudo BuildRequires: pkgconfig(libsystemd) %{?systemd_requires} %endif -# URL: https://www.unbound.net/ Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz Source1: unbound.service @@ -93,6 +81,7 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source18: unbound-anchor.service +Source19: unbound.sysusers Summary: Validating, recursive, and caching DNS(SEC) resolver License: BSD-3-Clause @@ -155,7 +144,7 @@ This package holds the development files to work with libunbound. # Summary: Unbound Anchor cert management tools Group: Productivity/Networking/DNS/Servers -Requires(pre): shadow +%sysusers_requires %description anchor Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -176,27 +165,11 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the Python modules and extensions for unbound. %endif -%if %{with python2} -%package -n python2-unbound -Summary: Python modules and extensions for unbound -Group: Applications/System -Requires: %{libname} = %{version} - -%description -n python2-unbound -Unbound is a validating, recursive, and caching DNS(SEC) resolver. - -This package holds the Python modules and extensions for unbound. -%endif - %prep %setup -%if %{with python2} -pushd .. -cp -pr %{name}-%{version} p2 -popd -%endif %build +%sysusers_generate_pre %{SOURCE19} anchor unbound.conf export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}" @@ -257,12 +230,6 @@ popd make %{?_smp_mflags} all streamtcp %install -%if %{with python2} -pushd ../p2 -%make_install -popd -%endif - %make_install install -d -m 0750 %{buildroot}/var/lib/unbound @@ -323,18 +290,15 @@ install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# sysusers.d +install -Dm0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/unbound.conf + %check # it currently fails in the ldns unit test. which is weird as both come from the same project make check ||: -%pre anchor -%if %{with systemd} +%pre anchor -f anchor.pre %service_add_pre unbound-anchor.service unbound-anchor.timer -%endif -getent group unbound >/dev/null || groupadd -r unbound -getent passwd unbound >/dev/null || \ - useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \ - -d /var/lib/unbound unbound %if %{with systemd} %pre @@ -382,8 +346,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %postun -n %{libname} -p /sbin/ldconfig %files -%defattr(-,root,root,-) -%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES +%license doc/LICENSE +%doc doc/README doc/CREDITS doc/FEATURES %attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name} %attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d @@ -420,23 +384,13 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %if %{with python3} %files -n python3-unbound -%defattr(-,root,root,-) %{python3_sitearch}/* %doc libunbound/python/examples/* %doc pythonmod/examples/* %endif -%if %{with python2} -%files -n python2-unbound -%defattr(-,root,root,-) -%{python2_sitearch}/* -%doc ../p2/libunbound/python/examples/* -%doc ../p2/pythonmod/examples/* -%endif - %if %{with munin} %files munin -%defattr(-,root,root,-) %dir %{_sysconfdir}/munin/ %dir %{_sysconfdir}/munin/plugin-conf.d/ %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound @@ -447,7 +401,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %endif %files devel -%defattr(-,root,root,-) %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so @@ -457,12 +410,12 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %{_mandir}/man3/ub_*.3* %files anchor -%defattr(-,root,root,-) %dir %{_sysconfdir}/%{name}/ %{_sbindir}/unbound-anchor %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service +%{_sysusersdir}/unbound.conf %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key diff --git a/unbound.sysusers b/unbound.sysusers new file mode 100644 index 0000000..ae1812f --- /dev/null +++ b/unbound.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u unbound - "unbound caching DNS server" /var/lib/unbound -