diff --git a/SOURCES/root.anchor b/SOURCES/root.anchor index 18367f8..1d2f75d 100644 --- a/SOURCES/root.anchor +++ b/SOURCES/root.anchor @@ -1 +1,2 @@ . 98799 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} +. 98799 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} diff --git a/SOURCES/root.key b/SOURCES/root.key index e340ed0..d8aca0c 100644 --- a/SOURCES/root.key +++ b/SOURCES/root.key @@ -2,5 +2,6 @@ ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036 +"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326 }; diff --git a/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch b/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch new file mode 100644 index 0000000..6ec4725 --- /dev/null +++ b/SOURCES/unbound-1.4.20-cache-max-negative-ttl.patch @@ -0,0 +1,312 @@ +From e1132a3a41d2ff5a9479bbb629d73db4856a5f34 Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Tue, 11 Oct 2016 15:38:58 +0200 +Subject: [PATCH] Add cache-max-negative-ttl option + +https://github.com/thozza/unbound/commit/0ef133ea5819fbf7518de9c8492c5e05c95ac8ce + +git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@3431 be551aaa-1e26-0410-a405-d3ace91eadb9 +Signed-off-by: Tomas Hozza +--- + doc/example.conf.in | 3 +++ + doc/unbound-control.8.in | 2 +- + doc/unbound.conf.5.in | 4 ++++ + testcode/unitmsgparse.c | 3 +++ + testdata/iter_domain_sale.rpl | 3 ++- + testdata/iter_domain_sale_nschange.rpl | 6 ++++-- + util/config_file.c | 5 +++++ + util/config_file.h | 2 ++ + util/configlexer.lex | 1 + + util/configparser.y | 12 +++++++++++- + util/data/msgparse.h | 2 ++ + util/data/msgreply.c | 29 ++++++++++++++++++++++++++--- + 12 files changed, 64 insertions(+), 8 deletions(-) + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index aa9a7f7..52cad67 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -125,6 +125,9 @@ server: + # cache. Items are not cached for longer. In seconds. + # cache-max-ttl: 86400 + ++ # the time to live (TTL) value cap for negative responses in the cache ++ # cache-max-negative-ttl: 3600 ++ + # the time to live (TTL) value for cached roundtrip times, lameness and + # EDNS version information for hosts. In seconds. + # infra-host-ttl: 900 +diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in +index 669e81d..f2c76eb 100644 +--- a/doc/unbound-control.8.in ++++ b/doc/unbound-control.8.in +@@ -170,7 +170,7 @@ harden\-glue, harden\-dnssec\-stripped, harden\-below\-nxdomain, + harden\-referral\-path, prefetch, prefetch\-key, log\-queries, + hide\-identity, hide\-version, identity, version, val\-log\-level, + val\-log\-squelch, ignore\-cd\-flag, add\-holddown, del\-holddown, +-keep\-missing, tcp\-upstream, ssl\-upstream. ++keep\-missing, tcp\-upstream, ssl\-upstream, cache\-max\-negative\-ttl. + .TP + .B get_option \fIopt + Get the value of the option. Give the option name without a trailing ':'. +diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in +index 6dd0216..7485345 100644 +--- a/doc/unbound.conf.5.in ++++ b/doc/unbound.conf.5.in +@@ -267,6 +267,10 @@ Zero makes sure the data in the cache is as the domain owner intended, + higher values, especially more than an hour or so, can lead to trouble as + the data in the cache does not match up with the actual data any more. + .TP ++.B cache\-max\-negative\-ttl: \fI ++Time to live maximum for negative responses, these have a SOA in the ++authority section that is limited in time. Default is 3600. ++.TP + .B infra\-host\-ttl: \fI + Time to live for entries in the host cache. The host cache contains + roundtrip timing, lameness and EDNS support information. Default is 900. +diff --git a/testcode/unitmsgparse.c b/testcode/unitmsgparse.c +index 4342395..08f3b50 100644 +--- a/testcode/unitmsgparse.c ++++ b/testcode/unitmsgparse.c +@@ -582,9 +582,11 @@ testfromdrillfile(ldns_buffer* pkt, struct alloc_cache* alloc, + + void msgparse_test(void) + { ++ uint32_t origttl = MAX_NEG_TTL; + ldns_buffer* pkt = ldns_buffer_new(65553); + ldns_buffer* out = ldns_buffer_new(65553); + struct alloc_cache super_a, alloc; ++ MAX_NEG_TTL = 86400; + /* init */ + alloc_init(&super_a, NULL, 0); + alloc_init(&alloc, &super_a, 2); +@@ -621,4 +623,5 @@ void msgparse_test(void) + alloc_clear(&super_a); + ldns_buffer_free(pkt); + ldns_buffer_free(out); ++ MAX_NEG_TTL = origttl; + } +diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl +index 724b51d..ff61278 100644 +--- a/testdata/iter_domain_sale.rpl ++++ b/testdata/iter_domain_sale.rpl +@@ -238,7 +238,8 @@ SECTION QUESTION + nx1.example.com. IN A + SECTION ANSWER + SECTION AUTHORITY +-example.com. 3600 IN SOA a. b. 1 2 3 4 5 ++; at TTL 5 because TTL is capped at min-ttl of 5 in rdata of SOA ++example.com. 5 IN SOA a. b. 1 2 3 4 5 + example.com. 1800 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 1800 IN A 1.2.3.4 +diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl +index a7d9f11..bc396f6 100644 +--- a/testdata/iter_domain_sale_nschange.rpl ++++ b/testdata/iter_domain_sale_nschange.rpl +@@ -285,7 +285,8 @@ SECTION QUESTION + nx1.example.com. IN A + SECTION ANSWER + SECTION AUTHORITY +-example.com. 3600 IN SOA a. b. 1 2 3 4 5 ++; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. ++example.com. 5 IN SOA a. b. 1 2 3 4 5 + example.com. 3600 IN NS nsb.example.com. + SECTION ADDITIONAL + nsb.example.com. 3600 IN A 1.2.3.4 +@@ -306,7 +307,8 @@ SECTION QUESTION + nx1.example.com. IN A + SECTION ANSWER + SECTION AUTHORITY +-example.com. 3600 IN SOA a. b. 1 2 3 4 5 ++; at TTL 5 because TTL capped at ttl of minttl in rdata of SOA. ++example.com. 5 IN SOA a. b. 1 2 3 4 5 + example.com. 1800 IN NS nsb.example.com. + SECTION ADDITIONAL + nsb.example.com. 3600 IN A 1.2.3.4 +diff --git a/util/config_file.c b/util/config_file.c +index b946f0d..4e0fbe7 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -128,6 +128,7 @@ config_create(void) + cfg->bogus_ttl = 60; + cfg->min_ttl = 0; + cfg->max_ttl = 3600 * 24; ++ cfg->max_negative_ttl = 3600; + cfg->prefetch = 0; + cfg->prefetch_key = 0; + cfg->infra_cache_slabs = 4; +@@ -359,6 +360,8 @@ int config_set_option(struct config_file* cfg, const char* opt, + else S_YNO("prefetch:", prefetch) + else S_YNO("prefetch-key:", prefetch_key) + else S_NUMBER_OR_ZERO("cache-max-ttl:", max_ttl) ++ else if(strcmp(opt, "cache-max-negative-ttl:") == 0) ++ { IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=cfg->max_negative_ttl;} + else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl) + else S_POW2("infra-cache-slabs:", infra_cache_slabs) + else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts) +@@ -593,6 +596,7 @@ config_get_option(struct config_file* cfg, const char* opt, + else O_YNO(opt, "prefetch-key", prefetch_key) + else O_YNO(opt, "prefetch", prefetch) + else O_DEC(opt, "cache-max-ttl", max_ttl) ++ else O_DEC(opt, "cache-max-negative-ttl", max_negative_ttl) + else O_DEC(opt, "infra-host-ttl", host_ttl) + else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs) + else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts) +@@ -1149,6 +1153,7 @@ config_apply(struct config_file* config) + { + MAX_TTL = (uint32_t)config->max_ttl; + MIN_TTL = (uint32_t)config->min_ttl; ++ MAX_NEG_TTL = (uint32_t)config->max_negative_ttl; + EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size; + MINIMAL_RESPONSES = config->minimal_responses; + RRSET_ROUNDROBIN = config->rrset_roundrobin; +diff --git a/util/config_file.h b/util/config_file.h +index 69595cb..4d493b8 100644 +--- a/util/config_file.h ++++ b/util/config_file.h +@@ -179,6 +179,8 @@ struct config_file { + int max_ttl; + /** the number of seconds minimum TTL used for RRsets and messages */ + int min_ttl; ++ /** the number of seconds maximal negative TTL for SOA in auth */ ++ int max_negative_ttl; + /** if prefetching of messages should be performed. */ + int prefetch; + /** if prefetching of DNSKEYs should be performed. */ +diff --git a/util/configlexer.lex b/util/configlexer.lex +index 4694cdd..079f195 100644 +--- a/util/configlexer.lex ++++ b/util/configlexer.lex +@@ -208,6 +208,7 @@ msg-cache-slabs{COLON} { YDVAR(1, VAR_MSG_CACHE_SLABS) } + rrset-cache-size{COLON} { YDVAR(1, VAR_RRSET_CACHE_SIZE) } + rrset-cache-slabs{COLON} { YDVAR(1, VAR_RRSET_CACHE_SLABS) } + cache-max-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_TTL) } ++cache-max-negative-ttl{COLON} { YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) } + cache-min-ttl{COLON} { YDVAR(1, VAR_CACHE_MIN_TTL) } + infra-host-ttl{COLON} { YDVAR(1, VAR_INFRA_HOST_TTL) } + infra-lame-ttl{COLON} { YDVAR(1, VAR_INFRA_LAME_TTL) } +diff --git a/util/configparser.y b/util/configparser.y +index 0dbee2b..7d7147d 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -105,6 +105,7 @@ extern struct config_parser_state* cfg_parser; + %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM + %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST + %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN ++%token VAR_CACHE_MAX_NEGATIVE_TTL + + %% + toplevelvars: /* empty */ | toplevelvars toplevelvar ; +@@ -161,7 +162,7 @@ content_server: server_num_threads | server_verbosity | server_port | + server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag | + server_log_queries | server_tcp_upstream | server_ssl_upstream | + server_ssl_service_key | server_ssl_service_pem | server_ssl_port | +- server_minimal_responses | server_rrset_roundrobin ++ server_minimal_responses | server_rrset_roundrobin | server_cache_max_negative_ttl + ; + stubstart: VAR_STUB_ZONE + { +@@ -934,6 +935,15 @@ server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG + free($2); + } + ; ++server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG ++ { ++ OUTYY(("P(server_cache_max_negative_ttl:%s)\n", $2)); ++ if(atoi($2) == 0 && strcmp($2, "0") != 0) ++ yyerror("number expected"); ++ else cfg_parser->cfg->max_negative_ttl = atoi($2); ++ free($2); ++ } ++ ; + server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG + { + OUTYY(("P(server_cache_min_ttl:%s)\n", $2)); +diff --git a/util/data/msgparse.h b/util/data/msgparse.h +index 830d68e..825d368 100644 +--- a/util/data/msgparse.h ++++ b/util/data/msgparse.h +@@ -74,6 +74,8 @@ struct regional; + extern uint32_t MAX_TTL; + /** Minimum TTL that is allowed. */ + extern uint32_t MIN_TTL; ++/** Maximum Negative TTL that is allowed */ ++extern uint32_t MAX_NEG_TTL; + /** Negative cache time (for entries without any RRs.) */ + #define NORR_TTL 5 /* seconds */ + +diff --git a/util/data/msgreply.c b/util/data/msgreply.c +index 6d711ff..dce724d 100644 +--- a/util/data/msgreply.c ++++ b/util/data/msgreply.c +@@ -56,6 +56,8 @@ + uint32_t MAX_TTL = 3600 * 24 * 10; /* ten days */ + /** MIN TTL default for messages and rrsets */ + uint32_t MIN_TTL = 0; ++/** MAX Negative TTL, for SOA records in authority section */ ++uint32_t MAX_NEG_TTL = 3600; /* one hour */ + + /** allocate qinfo, return 0 on error */ + static int +@@ -151,10 +153,23 @@ repinfo_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc, + return 1; + } + ++/** find the minimumttl in the rdata of SOA record */ ++static uint32_t ++soa_find_minttl(struct rr_parse* rr) ++{ ++ uint16_t rlen = ldns_read_uint16(rr->ttl_data+4); ++ if(rlen < 20) ++ return 0; /* rdata too small for SOA (dname, dname, 5*32bit) */ ++ /* minimum TTL is the last 32bit value in the rdata of the record */ ++ /* at position ttl_data + 4(ttl) + 2(rdatalen) + rdatalen - 4(timeval)*/ ++ return ldns_read_uint32(rr->ttl_data+6+rlen-4); ++} ++ + /** do the rdata copy */ + static int + rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to, +- struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type) ++ struct rr_parse* rr, uint32_t* rr_ttl, uint16_t type, ++ ldns_pkt_section section) + { + uint16_t pkt_len; + const ldns_rr_descriptor* desc; +@@ -163,6 +178,14 @@ rdata_copy(ldns_buffer* pkt, struct packed_rrset_data* data, uint8_t* to, + /* RFC 2181 Section 8. if msb of ttl is set treat as if zero. */ + if(*rr_ttl & 0x80000000U) + *rr_ttl = 0; ++ if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) { ++ /* negative response. see if TTL of SOA record larger than the ++ * minimum-ttl in the rdata of the SOA record */ ++ if(*rr_ttl > soa_find_minttl(rr)) ++ *rr_ttl = soa_find_minttl(rr); ++ if(*rr_ttl > MAX_NEG_TTL) ++ *rr_ttl = MAX_NEG_TTL; ++ } + if(*rr_ttl < MIN_TTL) + *rr_ttl = MIN_TTL; + if(*rr_ttl < data->ttl) +@@ -252,7 +275,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset, + data->rr_data[i] = nextrdata; + nextrdata += rr->size; + if(!rdata_copy(pkt, data, data->rr_data[i], rr, +- &data->rr_ttl[i], pset->type)) ++ &data->rr_ttl[i], pset->type, pset->section)) + return 0; + rr = rr->next; + } +@@ -263,7 +286,7 @@ parse_rr_copy(ldns_buffer* pkt, struct rrset_parse* pset, + data->rr_data[i] = nextrdata; + nextrdata += rr->size; + if(!rdata_copy(pkt, data, data->rr_data[i], rr, +- &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG)) ++ &data->rr_ttl[i], LDNS_RR_TYPE_RRSIG, pset->section)) + return 0; + rr = rr->next; + } +-- +2.7.4 + diff --git a/SOURCES/unbound-1.4.20-longcheck-fixup.patch b/SOURCES/unbound-1.4.20-longcheck-fixup.patch new file mode 100644 index 0000000..1ba0808 --- /dev/null +++ b/SOURCES/unbound-1.4.20-longcheck-fixup.patch @@ -0,0 +1,74 @@ +diff --git a/testcode/do-tests.sh b/testcode/do-tests.sh +index 84d2ef5..b44dd77 100755 +--- a/testcode/do-tests.sh ++++ b/testcode/do-tests.sh +@@ -1,6 +1,10 @@ + #!/usr/bin/env bash + . testdata/common.sh + ++# make sure that the binaries used during tests can find the libraries compiled with them ++LD_LIBRARY_PATH_BAK="$LD_LIBRARY_PATH" ++export LD_LIBRARY_PATH="$(pwd)/.libs" ++ + NEED_SPLINT='00-lint.tpkg' + NEED_DOXYGEN='01-doc.tpkg' + NEED_XXD='fwd_compress_c00c.tpkg fwd_zero.tpkg' +@@ -10,6 +14,23 @@ NEED_WHOAMI='07-confroot.tpkg' + NEED_IPV6='fwd_ancil.tpkg fwd_tcp_tc6.tpkg stub_udp6.tpkg edns_cache.tpkg' + NEED_NOMINGW='tcp_sigpipe.tpkg 07-confroot.tpkg 08-host-lib.tpkg fwd_ancil.tpkg' + ++# 01-doc - checks for errors and warnings and there are warnings due to obsolted keywords ++# in the doxygen documentation. Not a big deal, therefore skipping this. ++# ++# 06-ianaports - This checks if the bundled copy is up to date, which is obviously not ++# as the version we are shipping is old version ++# ++# root_anchor - This fails because the pem file has been updated and re are shipping an ++# old copy of it. ++# ++# root_hints - This fails because addresses of root servers changed and we are shipping ++# an old copy of it. This is not an issue as all servers usually do priming on startup ++# ++# fwd_compress_c00c - The test fails because the HEX output contains one more zero on each ++# line at the beginning of the address from which the data is dumped. Nevertheless the data ++# are correct and match. ++ALWAYS_SKIP='01-doc.tpkg 06-ianaports.tpkg root_anchor.tpkg root_hints.tpkg fwd_compress_c00c.tpkg' ++ + # test if dig and ldns-testns are available. + test_tool_avail "dig" + test_tool_avail "ldns-testns" +@@ -50,6 +71,11 @@ for test in `ls *.tpkg`; do + SKIP=1; + fi + fi ++ ++ if echo $ALWAYS_SKIP | grep $test >/dev/null; then ++ SKIP=1; ++ fi ++ + if test $SKIP -eq 0; then + echo $test + sh ../testcode/mini_tpkg.sh -a ../.. exe $test +@@ -57,5 +83,21 @@ for test in `ls *.tpkg`; do + echo "skip $test" + fi + done +-sh ../testcode/mini_tpkg.sh report ++sh ../testcode/mini_tpkg.sh report > .report.txt ++cat .report.txt ++ ++# Make sure the test suite fails when some test failed ++if cat .report.txt | grep "FAILED" >/dev/null; then ++ echo "Some tests FAILED!!!" ++ RESULTS=1 ++else ++ echo "All tests PASSED" ++ RESULTS=0 ++fi ++rm -f .report.txt + cat .perfstats.txt ++ ++# restore LD_LIBRARY_PATH ++export LD_LIBRARY_PATH=$LD_LIBRARY_PATH_BAK ++ ++exit $RESULTS diff --git a/SOURCES/unbound-1.4.20-trust-anchor.patch b/SOURCES/unbound-1.4.20-trust-anchor.patch new file mode 100644 index 0000000..0d019d9 --- /dev/null +++ b/SOURCES/unbound-1.4.20-trust-anchor.patch @@ -0,0 +1,16 @@ +diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c +index ef0031c..c622f24 100644 +--- a/smallapp/unbound-anchor.c ++++ b/smallapp/unbound-anchor.c +@@ -239,7 +239,10 @@ static const char* + get_builtin_ds(void) + { + return +-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"; ++/* anchor 19036 is from 2010 */ ++/* anchor 20326 is from 2017 */ ++". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" ++". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; + } + + /** print hex data */ diff --git a/SOURCES/unbound.conf b/SOURCES/unbound.conf index 2590f6d..26cb47e 100644 --- a/SOURCES/unbound.conf +++ b/SOURCES/unbound.conf @@ -135,6 +135,9 @@ server: # cache. Items are not cached for longer. In seconds. # cache-max-ttl: 86400 + # the time to live (TTL) value cap for negative responses in the cache + # cache-max-negative-ttl: 3600 + # the time to live (TTL) value for cached roundtrip times, lameness # and EDNS version information for hosts. In seconds. # infra-host-ttl: 900 diff --git a/SPECS/unbound.spec b/SPECS/unbound.spec index 6389c5e..faf9ae4 100644 --- a/SPECS/unbound.spec +++ b/SPECS/unbound.spec @@ -11,7 +11,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound Version: 1.4.20 -Release: 28%{?dist} +Release: 34%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -38,9 +38,16 @@ Patch1: unbound-1.4.20-roundrobin.patch Patch2: unbound-1.4.20-streamtcp-manpage.patch Patch3: unbound-1.4.20-coverity_scan.patch Patch4: unbound-1.4.20-CVE-2014-8602.patch +Patch5: unbound-1.4.20-cache-max-negative-ttl.patch +Patch6: unbound-1.4.20-longcheck-fixup.patch +Patch7: unbound-1.4.20-trust-anchor.patch Group: System Environment/Daemons -BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.16-10 +BuildRequires: openssl-devel , ldns-devel >= 1.6.16-10 +# needed for the test suite +BuildRequires: bind-utils +# needed to regenerate configparser +BuildRequires: flex, byacc BuildRequires: libevent-devel expat-devel %if %{with_python} BuildRequires: python-devel swig @@ -93,6 +100,9 @@ Summary: Libraries used by the unbound server and client applications Group: Applications/System Requires(post): /sbin/ldconfig Requires(post): systemd +Requires(post): grep +Requires(post): sed +Requires(post): util-linux Requires(preun): systemd Requires(postun): /sbin/ldconfig Requires(postun): systemd @@ -125,6 +135,15 @@ Python modules and extensions for unbound %patch2 -p1 %patch3 -p1 %patch4 -p0 +%patch5 -p1 -b .cache-max-negative-ttl +%patch6 -p1 -b .longcheck-fixup +%patch7 -p1 -b .root-anchor + +# regrnerate config parser due to new options added +echo "#include \"config.h\"" > util/configlexer.c || echo "Failed to create configlexer" +echo "#include \"util/configyyrename.h\"" >> util/configlexer.c || echo "Failed to create configlexer" +flex -i -t util/configlexer.lex >> util/configlexer.c || echo "Failed to create configlexer" +yacc -y -d -o util/configparser.c util/configparser.y || echo "Failed to create configparser" %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ @@ -252,6 +271,7 @@ echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control %{_unitdir}/unbound-anchor.timer %{_unitdir}/unbound-anchor.service %dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name} +# this file will be modified always after installation %attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key # just left for backwards compat with user changed unbound.conf files - format is different! @@ -271,6 +291,18 @@ exit 0 %post libs /sbin/ldconfig +# If update contains new keys not already in database, use package keys +if [ "$1" -eq 2 -a -f %{_sharedstatedir}/unbound/root.key.rpmnew ]; then + /sbin/runuser --command=" + cp -pf %{_sharedstatedir}/unbound/root.key %{_sharedstatedir}/unbound/root.key.rpmupdate && \ + sed -e 's/;.*//' -e '/^[[:space:]]*$/ d' %{_sharedstatedir}/unbound/root.key.rpmnew | while read KEY; + do + if ! grep -q \"\$KEY\" %{_sharedstatedir}/unbound/root.key.rpmupdate; then + echo \"\$KEY\" >> %{_sharedstatedir}/unbound/root.key.rpmupdate || exit 1; + fi; + done && \ + mv %{_sharedstatedir}/unbound/root.key.rpmupdate %{_sharedstatedir}/unbound/root.key" --shell /bin/sh unbound || : +fi %{_sbindir}/runuser --command="%{_sbindir}/unbound-anchor -a %{_sharedstatedir}/unbound/root.key -c %{_sysconfdir}/unbound/icannbundle.pem" --shell /bin/sh unbound ||: %systemd_post unbound-anchor.timer # the Unit is in presets, but would be started afte reboot @@ -302,7 +334,31 @@ exit 0 /bin/systemctl try-restart unbound.service >/dev/null 2>&1 || : /bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || : + +%check +make check +make longcheck + %changelog +* Fri Jun 02 2017 Petr Menšík - 1.4.20-34 +- Make merge of updated database more safe + +* Wed May 24 2017 Petr Menšík - 1.4.20-33 +- Update also built-in digest in unbound-anchor + +* Wed May 24 2017 Petr Menšík - 1.4.20-32 +- Update trust anchors (#1452636) +- Update managed keys from trigger + +* Mon Mar 27 2017 Tomas Hozza - 1.4.20-31 +- Run internal test suite during build (#1383722) + +* Thu Feb 02 2017 Tomas Hozza - 1.4.20-30 +- Added cache-max-negative-ttl option to the default configuration file (#1382383) + +* Tue Oct 11 2016 Tomas Hozza - 1.4.20-29 +- Added cache-max-negative-ttl option (#1382383) + * Fri May 20 2016 Pavel Šimerda - 1.4.20-28 - Related: #1245250 - depend on the right ldns version