From 683e2b02c62f0fed84b4e764be672d82d910d1d79708af8b2cd27f079218b509 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Wed, 4 May 2022 09:41:24 +0000 Subject: [PATCH 1/2] Accepting request 943368 from home:gmbr3:Active - Change to systemd-sysusers OBS-URL: https://build.opensuse.org/request/show/943368 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=144 --- unbound.changes | 5 +++++ unbound.spec | 17 +++++++++-------- unbound.sysusers | 2 ++ 3 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 unbound.sysusers diff --git a/unbound.changes b/unbound.changes index 42fc1eb..f2c9b40 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer + +- Change to systemd-sysusers + ------------------------------------------------------------------- Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder diff --git a/unbound.spec b/unbound.spec index 359e5fe..e6efd4f 100644 --- a/unbound.spec +++ b/unbound.spec @@ -42,6 +42,7 @@ Release: 0 # BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex +BuildRequires: sysuser-tools BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel @@ -93,6 +94,7 @@ Source14: unbound.sysconfig Source15: unbound-anchor.timer Source16: unbound-munin.README Source18: unbound-anchor.service +Source19: unbound.sysusers Summary: Validating, recursive, and caching DNS(SEC) resolver License: BSD-3-Clause @@ -155,7 +157,7 @@ This package holds the development files to work with libunbound. # Summary: Unbound Anchor cert management tools Group: Productivity/Networking/DNS/Servers -Requires(pre): shadow +%sysusers_requires %description anchor Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -197,6 +199,7 @@ popd %endif %build +%sysusers_generate_pre %{SOURCE19} anchor unbound.conf export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}" @@ -323,18 +326,15 @@ install -m 0640 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/ # Link unbound-control-setup.8 manpage to unbound-control.8 echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8 +# sysusers.d +install -Dm0644 %{SOURCE19} %{buildroot}%{_sysusersdir}/unbound.conf + %check # it currently fails in the ldns unit test. which is weird as both come from the same project make check ||: -%pre anchor -%if %{with systemd} +%pre anchor -f anchor.pre %service_add_pre unbound-anchor.service unbound-anchor.timer -%endif -getent group unbound >/dev/null || groupadd -r unbound -getent passwd unbound >/dev/null || \ - useradd -g unbound -s /bin/false -r -c "unbound caching DNS server" \ - -d /var/lib/unbound unbound %if %{with systemd} %pre @@ -463,6 +463,7 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %config %{_sysconfdir}/%{name}/icannbundle.pem %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service +%{_sysusersdir}/unbound.conf %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name} %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key %attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key diff --git a/unbound.sysusers b/unbound.sysusers new file mode 100644 index 0000000..ae1812f --- /dev/null +++ b/unbound.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u unbound - "unbound caching DNS server" /var/lib/unbound - From cdd3f40e20f1ff81eee1f43b47f35a9adca94c421ac932763e79c292f8063b6d Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Wed, 4 May 2022 13:05:55 +0000 Subject: [PATCH 2/2] Accepting request 974920 from home:dirkmueller:Factory - spec-cleaner - update to 1.15.0 - drop python2 packages - update to 1.15.0: This release has bug fixes for crashes that happened on heavy network usage. The default for the aggressive-nsec option has changed, it is now enabled. The ratelimit logic had to be reworked for the crash fixes. As a result, there are new options to control the behaviour of ratelimiting. The ratelimit-backoff and ip-ratelimit-backoff options can be used to control how severe the backoff is when the ratelimit is exceeded. The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for NXDOMAIN answers from RPZ. That is used by some clients to detect that the domain is externally blocked. The RPZ option for-downstream can be used like for auth zones, this allows the RPZ zone information to be queried. That can be useful for monitoring scripts. Features - Fix #596: unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to signal that a domain is externally blocked to clients when it is blocked with NXDOMAIN by unsetting RA. - Add rpz: for-downstream: yesno option, where the RPZ zone is authoritatively answered for, so the RPZ zone contents can be checked with DNS queries directed at the RPZ zone. - Merge PR #616: Update ratelimit logic. It also introduces ratelimit-backoff and ip-ratelimit-backoff configuration options. - Change aggressive-nsec default to yes. Bug Fixes - Fix compile warning for if_nametoindex on windows 64bit. OBS-URL: https://build.opensuse.org/request/show/974920 OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=145 --- libunbound-devel-mini.changes | 6 ++ libunbound-devel-mini.spec | 41 ++++++-------- unbound-1.14.0.tar.gz | 3 - unbound-1.15.0.tar.gz | 3 + unbound.changes | 100 ++++++++++++++++++++++++++++++++++ unbound.spec | 58 ++------------------ 6 files changed, 132 insertions(+), 79 deletions(-) delete mode 100644 unbound-1.14.0.tar.gz create mode 100644 unbound-1.15.0.tar.gz diff --git a/libunbound-devel-mini.changes b/libunbound-devel-mini.changes index ea8c036..ce68f91 100644 --- a/libunbound-devel-mini.changes +++ b/libunbound-devel-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Apr 19 15:46:25 UTC 2022 - Dirk Müller + +- spec-cleaner +- update to 1.15.0 + ------------------------------------------------------------------- Thu Dec 9 11:14:33 UTC 2021 - Michael Ströder diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec index c780c86..33b420c 100644 --- a/libunbound-devel-mini.spec +++ b/libunbound-devel-mini.spec @@ -1,7 +1,7 @@ # # spec file for package libunbound-devel-mini # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,19 +16,28 @@ # +%define ldns_version 1.6.16 %bcond_without python %bcond_without munin %bcond_without hardened_build - -%define ldns_version 1.6.16 - # Name: libunbound-devel-mini -Version: 1.14.0 +Version: 1.15.0 Release: 0 +Summary: Just a devel package for build loops +License: BSD-3-Clause +Group: Productivity/Networking/DNS/Servers +# +URL: https://www.unbound.net/ +Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz +Source1: libunbound-devel-mini-rpmlintrc +Source5: root.key +Source6: dlv.isc.org.key +# From http://data.iana.org/root-anchors/icannbundle.pem +Source12: icannbundle.pem +Source13: root.anchor # # -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel @@ -39,19 +48,6 @@ Requires: this-is-only-for-build-envs Conflicts: libunbound8 Conflicts: unbound-devel Provides: libunbound-devel = %{version}-%{release} -# -URL: https://www.unbound.net/ -Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz -Source1: libunbound-devel-mini-rpmlintrc -Source5: root.key -Source6: dlv.isc.org.key -# From http://data.iana.org/root-anchors/icannbundle.pem -Source12: icannbundle.pem -Source13: root.anchor - -Summary: Just a devel package for build loops -License: BSD-3-Clause -Group: Productivity/Networking/DNS/Servers %description Unbound is a validating, recursive, and caching DNS(SEC) resolver. @@ -65,7 +61,7 @@ DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. %prep -%setup -n unbound-%version +%setup -q -n unbound-%{version} %build export CFLAGS="%{optflags}" @@ -90,7 +86,7 @@ export CXXFLAGS="%{optflags}" --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \ --disable-explicit-port-randomisation -make %{?_smp_mflags} +%make_build %install %make_install @@ -98,13 +94,12 @@ rm -rf %{buildroot}%{_mandir} %{buildroot}%{_libdir}/*.la %check # it currently fails in the ldns unit test. which is weird as both come from the same project -make check ||: +%make_build check ||: %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%defattr(-,root,root,-) %{_libdir}/libunbound.so.* %{_includedir}/unbound.h %{_includedir}/unbound-event.h diff --git a/unbound-1.14.0.tar.gz b/unbound-1.14.0.tar.gz deleted file mode 100644 index 3e438d1..0000000 --- a/unbound-1.14.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6ef91cbf02d5299eab39328c0857393de7b4885a2fe7233ddfe3c124ff5a89c8 -size 6152326 diff --git a/unbound-1.15.0.tar.gz b/unbound-1.15.0.tar.gz new file mode 100644 index 0000000..484a4bb --- /dev/null +++ b/unbound-1.15.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a480dc6c8937447b98d161fe911ffc76cfaffa2da18788781314e81339f1126f +size 6163470 diff --git a/unbound.changes b/unbound.changes index f2c9b40..ce68ff5 100644 --- a/unbound.changes +++ b/unbound.changes @@ -1,3 +1,103 @@ +------------------------------------------------------------------- +Tue Apr 19 15:41:37 UTC 2022 - Dirk Müller + +- drop python2 packages +- update to 1.15.0: + This release has bug fixes for crashes that happened on heavy network + usage. The default for the aggressive-nsec option has changed, it is now + enabled. + + The ratelimit logic had to be reworked for the crash fixes. As a result, + there are new options to control the behaviour of ratelimiting. + The ratelimit-backoff and ip-ratelimit-backoff options can be used to + control how severe the backoff is when the ratelimit is exceeded. + + The rpz-signal-nxdomain-ra option can be used to unset the RA flag, for + NXDOMAIN answers from RPZ. That is used by some clients to detect that + the domain is externally blocked. The RPZ option for-downstream can be + used like for auth zones, this allows the RPZ zone information to be queried. + That can be useful for monitoring scripts. + + Features + - Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. + - Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. + - Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. + - Change aggressive-nsec default to yes. + + Bug Fixes + - Fix compile warning for if_nametoindex on windows 64bit. + - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. + - Fix validator debug output about DS support, print correct algorithm. + - Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. + - Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. + - Fix to pick up other class local zone information before unlock. + - Add missing configure flags for optional features in the + documentation. + - Fix Unbound capitalization in the documentation. + - Fix #591: Unbound-anchor manpage links to non-existent license file. + - contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. + - Fix to add test for rpz-signal-nxdomain-ra. + - Fix #596: only unset RA when NXDOMAIN is signalled. + - Fix that RPZ does not set RD flag on replies, it should be copied + from the query. + - Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. + - Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. + - Fix for #596: add unit test for nsdname trigger and signal unset RA. + - Fix for #596: add unit test for nsip trigger and signal unset RA. + - Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. + - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. + - Merge #600 from pemensik: Change file mode before changing file + owner. + - Fix prematurely terminated TCP queries when a reply has the same ID. + - For #602: Allow the module-config "subnetcache validator cachedb + iterator". + - Fix EDNS to upstream where the same option could be attached + more than once. + - Add a region to serviced_query for allocations. + - For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. + - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. + - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. + - Merge PR #612: TCP race condition. + - Test for NSID in SERVFAIL response due to DNSSEC bogus. + - Fix #599: [FR] RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. + - Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. + - Better cleanup on failed DoT/DoH listening socket creation. + - iana portlist update. + - Fix review comment for use-after-free when failing to send UDP out. + - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. + - Merge PR #532 from Shchelk: Fix: buffer overflow bug. + - Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. + - Update stream_ssl.tdir test to also use the new forward-host + notation. + - Fix header comment for doxygen for authextstrtoaddr. + - please clang analyzer for loop in test code. + - Fix docker splint test to use more portable uname. + - Update contrib/aaaa-filter-iterator.patch with diff for current + software version. + - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + ------------------------------------------------------------------- Fri Dec 31 23:18:09 UTC 2021 - Callum Farmer diff --git a/unbound.spec b/unbound.spec index e6efd4f..45480c0 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ # # spec file for package unbound # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,43 +21,32 @@ %define _fillupdir /var/adm/fillup-templates %endif -%bcond_without python2 %bcond_without python3 %bcond_without munin %bcond_without hardened_build %bcond_without dnstap %bcond_without systemd -# %define _sharedstatedir /var/lib/ %define ldns_version 1.6.16 -# %define piddir /run Name: unbound -Version: 1.14.0 +Version: 1.15.0 Release: 0 -# -# -BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: flex -BuildRequires: sysuser-tools BuildRequires: ldns-devel >= %{ldns_version} BuildRequires: libevent-devel BuildRequires: libexpat-devel BuildRequires: libsodium-devel BuildRequires: openssl-devel +BuildRequires: sysuser-tools %if %{with dnstap} BuildRequires: libfstrm-devel BuildRequires: libprotobuf-c-devel >= 1.0.0 BuildRequires: protobuf-c >= 1.0.0 %endif -%if %{with python2} -BuildRequires: python-rpm-macros -BuildRequires: python2-devel -BuildRequires: swig -%endif %if %{with python3} BuildRequires: python-rpm-macros BuildRequires: python3-devel @@ -65,7 +54,6 @@ BuildRequires: swig %endif # needed for dns over https BuildRequires: pkgconfig(libnghttp2) - Requires: ldns >= %{ldns_version} # until we figured something else out for the unbound-anchor part in the systemd unit file Requires: sudo @@ -73,7 +61,6 @@ Requires: sudo BuildRequires: pkgconfig(libsystemd) %{?systemd_requires} %endif -# URL: https://www.unbound.net/ Source: https://www.unbound.net/downloads/unbound-%{version}.tar.gz Source1: unbound.service @@ -178,25 +165,8 @@ Unbound is a validating, recursive, and caching DNS(SEC) resolver. This package holds the Python modules and extensions for unbound. %endif -%if %{with python2} -%package -n python2-unbound -Summary: Python modules and extensions for unbound -Group: Applications/System -Requires: %{libname} = %{version} - -%description -n python2-unbound -Unbound is a validating, recursive, and caching DNS(SEC) resolver. - -This package holds the Python modules and extensions for unbound. -%endif - %prep %setup -%if %{with python2} -pushd .. -cp -pr %{name}-%{version} p2 -popd -%endif %build %sysusers_generate_pre %{SOURCE19} anchor unbound.conf @@ -260,12 +230,6 @@ popd make %{?_smp_mflags} all streamtcp %install -%if %{with python2} -pushd ../p2 -%make_install -popd -%endif - %make_install install -d -m 0750 %{buildroot}/var/lib/unbound @@ -382,8 +346,8 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %postun -n %{libname} -p /sbin/ldconfig %files -%defattr(-,root,root,-) -%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES +%license doc/LICENSE +%doc doc/README doc/CREDITS doc/FEATURES %attr(0755,unbound,unbound) %ghost %dir %{piddir}/%{name} %attr(0640,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %dir %attr(-,root,unbound) %{_sysconfdir}/%{name}/keys.d @@ -420,23 +384,13 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %if %{with python3} %files -n python3-unbound -%defattr(-,root,root,-) %{python3_sitearch}/* %doc libunbound/python/examples/* %doc pythonmod/examples/* %endif -%if %{with python2} -%files -n python2-unbound -%defattr(-,root,root,-) -%{python2_sitearch}/* -%doc ../p2/libunbound/python/examples/* -%doc ../p2/pythonmod/examples/* -%endif - %if %{with munin} %files munin -%defattr(-,root,root,-) %dir %{_sysconfdir}/munin/ %dir %{_sysconfdir}/munin/plugin-conf.d/ %config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound @@ -447,7 +401,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %endif %files devel -%defattr(-,root,root,-) %{_includedir}/unbound.h %{_includedir}/unbound-event.h %{_libdir}/libunbound.so @@ -457,7 +410,6 @@ systemd-tmpfiles --create %{_tmpfilesdir}/unbound.conf || : %{_mandir}/man3/ub_*.3* %files anchor -%defattr(-,root,root,-) %dir %{_sysconfdir}/%{name}/ %{_sbindir}/unbound-anchor %config %{_sysconfdir}/%{name}/icannbundle.pem