[unbound/el6] * Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1 - Upgraded to 1.4.13 - Added root key
Paul Wouters
pwouters at fedoraproject.org
Wed Sep 21 22:17:04 UTC 2011
commit afe9ba046604498857412d24f5a7974686353e47
Author: Paul Wouters <paul at xelerance.com>
Date: Wed Sep 21 17:49:35 2011 -0400
* Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
- Upgraded to 1.4.13
- Added root key for DNSSEC
- Removed merged in pythonmod patch
- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
- Enabled python module
- No longer enable --enable-debug as it causes degraded performance
under load.
- Updated stock unbound.conf for new options introduced
- Added ghost for /var/run/unbound (bz#656710)
.gitignore | 1 +
sources | 1 +
unbound-1.4.13-edns1480.patch | 109 +++++++++++++++++++++++++++++++++++++++++
unbound.conf | 5 ++
unbound.spec | 71 +++++++++++----------------
5 files changed, 145 insertions(+), 42 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index dec5f53..a785b88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ unbound-1.3.4.tar.gz
unbound-1.4.1.tar.gz
unbound-1.4.3.tar.gz
unbound-1.4.4.tar.gz
+/unbound-1.4.13.tar.gz
diff --git a/sources b/sources
index 591cc97..c8c0ac3 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
2dffdd42f94b8238447a41835439d129 unbound-1.4.3.tar.gz
c7e6a35b92cbd2c93bc808228aa76725 unbound-1.4.4.tar.gz
+7e3b27dee2b97640dd2e1783253317ab unbound-1.4.13.tar.gz
diff --git a/unbound-1.4.13-edns1480.patch b/unbound-1.4.13-edns1480.patch
new file mode 100644
index 0000000..038b3ca
--- /dev/null
+++ b/unbound-1.4.13-edns1480.patch
@@ -0,0 +1,109 @@
+Index: services/outside_network.c
+===================================================================
+--- services/outside_network.c (revision 2491)
++++ services/outside_network.c (revision 2493)
+@@ -1199,6 +1199,7 @@
+ if(sq->status == serviced_query_UDP_EDNS ||
+ sq->status == serviced_query_UDP ||
+ sq->status == serviced_query_PROBE_EDNS ||
++ sq->status == serviced_query_UDP_EDNS_FRAG ||
+ sq->status == serviced_query_UDP_EDNS_fallback) {
+ struct pending* p = (struct pending*)sq->pending;
+ if(p->pc)
+@@ -1280,7 +1281,19 @@
+ edns.edns_present = 1;
+ edns.ext_rcode = 0;
+ edns.edns_version = EDNS_ADVERTISED_VERSION;
+- edns.udp_size = EDNS_ADVERTISED_SIZE;
++ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
++ if(addr_is_ip6(&sq->addr, sq->addrlen)) {
++ if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
++ edns.udp_size = EDNS_FRAG_SIZE_IP6;
++ else edns.udp_size = EDNS_ADVERTISED_SIZE;
++ } else {
++ if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
++ edns.udp_size = EDNS_FRAG_SIZE_IP4;
++ else edns.udp_size = EDNS_ADVERTISED_SIZE;
++ }
++ } else {
++ edns.udp_size = EDNS_ADVERTISED_SIZE;
++ }
+ edns.bits = 0;
+ if(sq->dnssec & EDNS_DO)
+ edns.bits = EDNS_DO;
+@@ -1324,7 +1337,8 @@
+ sq->status = serviced_query_UDP;
+ }
+ }
+- serviced_encode(sq, buff, sq->status == serviced_query_UDP_EDNS);
++ serviced_encode(sq, buff, (sq->status == serviced_query_UDP_EDNS) ||
++ (sq->status == serviced_query_UDP_EDNS_FRAG));
+ sq->last_sent_time = *sq->outnet->now_tv;
+ sq->edns_lame_known = (int)edns_lame_known;
+ verbose(VERB_ALGO, "serviced query UDP timeout=%d msec", rtt);
+@@ -1564,6 +1578,20 @@
+ * by EDNS. */
+ sq->status = serviced_query_UDP_EDNS;
+ }
++ if(sq->status == serviced_query_UDP_EDNS) {
++ /* fallback to 1480/1280 */
++ sq->status = serviced_query_UDP_EDNS_FRAG;
++ log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
++ &sq->addr, sq->addrlen);
++ if(!serviced_udp_send(sq, c->buffer)) {
++ serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
++ }
++ return 0;
++ }
++ if(sq->status == serviced_query_UDP_EDNS_FRAG) {
++ /* fragmentation size did not fix it */
++ sq->status = serviced_query_UDP_EDNS;
++ }
+ sq->retry++;
+ if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
+ -1, sq->last_rtt, (uint32_t)now.tv_sec)))
+@@ -1589,7 +1617,8 @@
+ return 0;
+ }
+ if(!fallback_tcp) {
+- if(sq->status == serviced_query_UDP_EDNS
++ if( (sq->status == serviced_query_UDP_EDNS
++ ||sq->status == serviced_query_UDP_EDNS_FRAG)
+ && (LDNS_RCODE_WIRE(ldns_buffer_begin(c->buffer))
+ == LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
+ ldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL)) {
+@@ -1866,6 +1895,7 @@
+ if(sq->status == serviced_query_UDP_EDNS ||
+ sq->status == serviced_query_UDP ||
+ sq->status == serviced_query_PROBE_EDNS ||
++ sq->status == serviced_query_UDP_EDNS_FRAG ||
+ sq->status == serviced_query_UDP_EDNS_fallback) {
+ s += sizeof(struct pending);
+ s += comm_timer_get_mem(NULL);
+Index: services/outside_network.h
+===================================================================
+--- services/outside_network.h (revision 2491)
++++ services/outside_network.h (revision 2493)
+@@ -274,6 +274,11 @@
+ void* cb_arg;
+ };
+
++/** fallback size for fragmentation for EDNS in IPv4 */
++#define EDNS_FRAG_SIZE_IP4 1480
++/** fallback size for EDNS in IPv6, fits one fragment with ip6-tunnel-ids */
++#define EDNS_FRAG_SIZE_IP6 1260
++
+ /**
+ * Query service record.
+ * Contains query and destination. UDP, TCP, EDNS are all tried.
+@@ -314,7 +319,9 @@
+ /** probe to test noEDNS0 (EDNS gives FORMERRorNOTIMP) */
+ serviced_query_UDP_EDNS_fallback,
+ /** probe to test TCP noEDNS0 (EDNS gives FORMERRorNOTIMP) */
+- serviced_query_TCP_EDNS_fallback
++ serviced_query_TCP_EDNS_fallback,
++ /** send UDP query with EDNS1480 (or 1280) */
++ serviced_query_UDP_EDNS_FRAG
+ }
+ /** variable with current status */
+ status;
diff --git a/unbound.conf b/unbound.conf
index 2f32c73..ae7e406 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -153,6 +153,10 @@ server:
# Enable TCP, "yes" or "no".
# do-tcp: yes
+ # upstream connections use TCP only (and no UDP), "yes" or "no"
+ # useful for tunneling scenarios, default no.
+ # tcp-upstream: no
+
# Detach from the terminal, run in background, "yes" or "no".
# do-daemonize: yes
@@ -336,6 +340,7 @@ server:
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
+ trusted-keys-file: /etc/unbound/root.key
# Ignore chain of trust. Domain is treated as insecure.
# domain-insecure: "example.com"
diff --git a/unbound.spec b/unbound.spec
index ff55aa8..8dff759 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -1,5 +1,4 @@
-# not ready yet
-%{?!with_python: %global with_python 0}
+%{?!with_python: %global with_python 1}
%if %{with_python}
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
@@ -16,26 +15,14 @@ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
-Source4: dlv.isc.org.key
+Source4: unbound_munin_
+Source5: root.key
+Source6: dlv.isc.org.key
Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.4-c2baa7.patch
-Patch3: unbound-1.4.4-40d18f.patch
-Patch4: unbound-1.4.4-7f27d6.patch
-Patch5: unbound-1.4.4-74d75e.patch
-Patch6: unbound-1.4.4-374822.patch
-Patch7: unbound-1.4.4-00f12c.patch
-Patch8: unbound-1.4.4-41b631.patch
-Patch9: unbound-1.4.4-5f58ed.patch
-Patch10: unbound-1.4.4-d7ef7b.patch
-Patch11: unbound-1.4.4-778d4a.patch
-Patch12: unbound-1.4.4-5e989a.patch
-Patch13: unbound-1.4.4-a6f07b.patch
-Patch14: unbound-1.4.4-28093c.patch
-Patch15: unbound-CVE-2011-1922.patch
-
+Patch2: unbound-1.4.13-edns1480.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.10,
BuildRequires: libevent-devel expat-devel
%if %{with_python}
BuildRequires: python-devel swig
@@ -47,7 +34,7 @@ Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.5.0
+Requires: ldns >= 1.6.0
Requires(pre): shadow-utils
Obsoletes: dnssec-conf < 1.27-2
@@ -103,31 +90,17 @@ Python modules and extensions for unbound
%prep
%setup -q
%patch1 -p1
-# svn/git patches
%patch2 -p1
-%patch4 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch3 -p1
-%patch5 -p1
-%patch15 -p1
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
- --disable-rpath --enable-debug --disable-static \
+ --disable-rpath --disable-static \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
--with-pythonmodule --with-pyunbound \
%endif
- --enable-sha2
+ --enable-sha2 --disable-gost
%{__make} %{?_smp_mflags}
%install
@@ -140,18 +113,18 @@ install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
-install -m 0755 contrib/unbound_munin_ %{buildroot}%{_datadir}/munin/plugins/unbound
+install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
-# install DLV key
-install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/
+# install root and DLV key
+install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
# remove static library from install (fedora packaging guidelines)
rm -rf %{buildroot}%{_libdir}/*.la
%if %{with_python}
-rm -rf %{buildroot}%{python_sitelib}/*/*.la
+rm -rf %{buildroot}%{python_sitearch}/*/*.la
%endif
mkdir -p %{buildroot}%{_localstatedir}/run/unbound
@@ -164,15 +137,18 @@ rm -rf ${RPM_BUILD_ROOT}
%doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
%attr(0755,root,root) %{_initrddir}/%{name}
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
%{_sbindir}/*
%{_mandir}/*/*
%if %{with_python}
%files python
-%{python_sitelib}/*
+%{python_sitearch}/*
+%doc libunbound/python/examples/*
+%doc pythonmod/examples/*
%endif
%files munin
@@ -222,6 +198,17 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
+- Upgraded to 1.4.13
+- Added root key for DNSSEC
+- Removed merged in pythonmod patch
+- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
+- Enabled python module
+- No longer enable --enable-debug as it causes degraded performance
+ under load.
+- Updated stock unbound.conf for new options introduced
+- Added ghost for /var/run/unbound (bz#656710)
+
* Wed May 25 2011 Paul Wouters <paul at xelerance.com> - 1.4.4-3
- Applied patch for CVE-2011-1922 DoS vulnerability
More information about the scm-commits
mailing list