[unbound/el6] * Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1 - Upgraded to 1.4.13 - Added root key

Paul Wouters pwouters at fedoraproject.org
Wed Sep 21 22:17:04 UTC 2011 

commit afe9ba046604498857412d24f5a7974686353e47
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Sep 21 17:49:35 2011 -0400

    * Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
    - Upgraded to 1.4.13
    - Added root key for DNSSEC
    - Removed merged in pythonmod patch
    - Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
    - Enabled python module
    - No longer enable --enable-debug as it causes degraded performance
      under load.
    - Updated stock unbound.conf for new options introduced
    - Added ghost for /var/run/unbound (bz#656710)

 .gitignore                    |    1 +
 sources                       |    1 +
 unbound-1.4.13-edns1480.patch |  109 +++++++++++++++++++++++++++++++++++++++++
 unbound.conf                  |    5 ++
 unbound.spec                  |   71 +++++++++++----------------
 5 files changed, 145 insertions(+), 42 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index dec5f53..a785b88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ unbound-1.3.4.tar.gz
 unbound-1.4.1.tar.gz
 unbound-1.4.3.tar.gz
 unbound-1.4.4.tar.gz
+/unbound-1.4.13.tar.gz
diff --git a/sources b/sources
index 591cc97..c8c0ac3 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
 2dffdd42f94b8238447a41835439d129  unbound-1.4.3.tar.gz
 c7e6a35b92cbd2c93bc808228aa76725  unbound-1.4.4.tar.gz
+7e3b27dee2b97640dd2e1783253317ab  unbound-1.4.13.tar.gz
diff --git a/unbound-1.4.13-edns1480.patch b/unbound-1.4.13-edns1480.patch
new file mode 100644
index 0000000..038b3ca
--- /dev/null
+++ b/unbound-1.4.13-edns1480.patch
@@ -0,0 +1,109 @@
+Index: services/outside_network.c
+===================================================================
+--- services/outside_network.c	(revision 2491)
++++ services/outside_network.c	(revision 2493)
+@@ -1199,6 +1199,7 @@
+ 		if(sq->status == serviced_query_UDP_EDNS ||
+ 			sq->status == serviced_query_UDP ||
+ 			sq->status == serviced_query_PROBE_EDNS ||
++			sq->status == serviced_query_UDP_EDNS_FRAG ||
+ 			sq->status == serviced_query_UDP_EDNS_fallback) {
+ 			struct pending* p = (struct pending*)sq->pending;
+ 			if(p->pc)
+@@ -1280,7 +1281,19 @@
+ 		edns.edns_present = 1;
+ 		edns.ext_rcode = 0;
+ 		edns.edns_version = EDNS_ADVERTISED_VERSION;
+-		edns.udp_size = EDNS_ADVERTISED_SIZE;
++		if(sq->status == serviced_query_UDP_EDNS_FRAG) {
++			if(addr_is_ip6(&sq->addr, sq->addrlen)) {
++				if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE)
++					edns.udp_size = EDNS_FRAG_SIZE_IP6;
++				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
++			} else {
++				if(EDNS_FRAG_SIZE_IP4 < EDNS_ADVERTISED_SIZE)
++					edns.udp_size = EDNS_FRAG_SIZE_IP4;
++				else	edns.udp_size = EDNS_ADVERTISED_SIZE;
++			}
++		} else {
++			edns.udp_size = EDNS_ADVERTISED_SIZE;
++		}
+ 		edns.bits = 0;
+ 		if(sq->dnssec & EDNS_DO)
+ 			edns.bits = EDNS_DO;
+@@ -1324,7 +1337,8 @@
+ 			sq->status = serviced_query_UDP; 
+ 		}
+ 	}
+-	serviced_encode(sq, buff, sq->status == serviced_query_UDP_EDNS);
++	serviced_encode(sq, buff, (sq->status == serviced_query_UDP_EDNS) ||
++		(sq->status == serviced_query_UDP_EDNS_FRAG));
+ 	sq->last_sent_time = *sq->outnet->now_tv;
+ 	sq->edns_lame_known = (int)edns_lame_known;
+ 	verbose(VERB_ALGO, "serviced query UDP timeout=%d msec", rtt);
+@@ -1564,6 +1578,20 @@
+ 			 * by EDNS. */
+ 			sq->status = serviced_query_UDP_EDNS;
+ 		}
++		if(sq->status == serviced_query_UDP_EDNS) {
++			/* fallback to 1480/1280 */
++			sq->status = serviced_query_UDP_EDNS_FRAG;
++			log_name_addr(VERB_ALGO, "try edns1xx0", sq->qbuf+10,
++				&sq->addr, sq->addrlen);
++			if(!serviced_udp_send(sq, c->buffer)) {
++				serviced_callbacks(sq, NETEVENT_CLOSED, c, rep);
++			}
++			return 0;
++		}
++		if(sq->status == serviced_query_UDP_EDNS_FRAG) {
++			/* fragmentation size did not fix it */
++			sq->status = serviced_query_UDP_EDNS;
++		}
+ 		sq->retry++;
+ 		if(!(rto=infra_rtt_update(outnet->infra, &sq->addr, sq->addrlen,
+ 			-1, sq->last_rtt, (uint32_t)now.tv_sec)))
+@@ -1589,7 +1617,8 @@
+ 		return 0;
+ 	}
+ 	if(!fallback_tcp) {
+-	    if(sq->status == serviced_query_UDP_EDNS 
++	    if( (sq->status == serviced_query_UDP_EDNS 
++	        ||sq->status == serviced_query_UDP_EDNS_FRAG)
+ 		&& (LDNS_RCODE_WIRE(ldns_buffer_begin(c->buffer)) 
+ 			== LDNS_RCODE_FORMERR || LDNS_RCODE_WIRE(
+ 			ldns_buffer_begin(c->buffer)) == LDNS_RCODE_NOTIMPL)) {
+@@ -1866,6 +1895,7 @@
+ 	if(sq->status == serviced_query_UDP_EDNS ||
+ 		sq->status == serviced_query_UDP ||
+ 		sq->status == serviced_query_PROBE_EDNS ||
++		sq->status == serviced_query_UDP_EDNS_FRAG ||
+ 		sq->status == serviced_query_UDP_EDNS_fallback) {
+ 		s += sizeof(struct pending);
+ 		s += comm_timer_get_mem(NULL);
+Index: services/outside_network.h
+===================================================================
+--- services/outside_network.h	(revision 2491)
++++ services/outside_network.h	(revision 2493)
+@@ -274,6 +274,11 @@
+ 	void* cb_arg;
+ };
+ 
++/** fallback size for fragmentation for EDNS in IPv4 */
++#define EDNS_FRAG_SIZE_IP4 1480
++/** fallback size for EDNS in IPv6, fits one fragment with ip6-tunnel-ids */
++#define EDNS_FRAG_SIZE_IP6 1260
++
+ /**
+  * Query service record.
+  * Contains query and destination. UDP, TCP, EDNS are all tried.
+@@ -314,7 +319,9 @@
+ 		/** probe to test noEDNS0 (EDNS gives FORMERRorNOTIMP) */
+ 		serviced_query_UDP_EDNS_fallback,
+ 		/** probe to test TCP noEDNS0 (EDNS gives FORMERRorNOTIMP) */
+-		serviced_query_TCP_EDNS_fallback
++		serviced_query_TCP_EDNS_fallback,
++		/** send UDP query with EDNS1480 (or 1280) */
++		serviced_query_UDP_EDNS_FRAG
+ 	} 	
+ 		/** variable with current status */ 
+ 		status;
diff --git a/unbound.conf b/unbound.conf
index 2f32c73..ae7e406 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -153,6 +153,10 @@ server:
 	# Enable TCP, "yes" or "no".
 	# do-tcp: yes
 
+	# upstream connections use TCP only (and no UDP), "yes" or "no"
+	# useful for tunneling scenarios, default no.
+	# tcp-upstream: no
+
 	# Detach from the terminal, run in background, "yes" or "no".
 	# do-daemonize: yes
 
@@ -336,6 +340,7 @@ server:
 	# but has a different file format. Format is BIND-9 style format, 
 	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
 	# trusted-keys-file: ""
+	trusted-keys-file: /etc/unbound/root.key
 
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
diff --git a/unbound.spec b/unbound.spec
index ff55aa8..8dff759 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -1,5 +1,4 @@
-# not ready yet
-%{?!with_python:      %global with_python      0}
+%{?!with_python:      %global with_python      1}
 
 %if %{with_python}
 %{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
@@ -16,26 +15,14 @@ Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
 Source1: unbound.init
 Source2: unbound.conf
 Source3: unbound.munin
-Source4: dlv.isc.org.key
+Source4: unbound_munin_
+Source5: root.key
+Source6: dlv.isc.org.key
 Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.4-c2baa7.patch
-Patch3: unbound-1.4.4-40d18f.patch
-Patch4: unbound-1.4.4-7f27d6.patch
-Patch5: unbound-1.4.4-74d75e.patch
-Patch6: unbound-1.4.4-374822.patch
-Patch7: unbound-1.4.4-00f12c.patch
-Patch8: unbound-1.4.4-41b631.patch
-Patch9: unbound-1.4.4-5f58ed.patch
-Patch10: unbound-1.4.4-d7ef7b.patch
-Patch11: unbound-1.4.4-778d4a.patch
-Patch12: unbound-1.4.4-5e989a.patch
-Patch13: unbound-1.4.4-a6f07b.patch
-Patch14: unbound-1.4.4-28093c.patch
-Patch15: unbound-CVE-2011-1922.patch
-
+Patch2: unbound-1.4.13-edns1480.patch
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0, 
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.10, 
 BuildRequires: libevent-devel expat-devel
 %if %{with_python}
 BuildRequires:  python-devel swig
@@ -47,7 +34,7 @@ Requires(post): chkconfig
 Requires(preun): chkconfig
 Requires(preun): initscripts
 Requires(postun): initscripts
-Requires: ldns >= 1.5.0
+Requires: ldns >= 1.6.0
 Requires(pre): shadow-utils
 
 Obsoletes:      dnssec-conf < 1.27-2
@@ -103,31 +90,17 @@ Python modules and extensions for unbound
 %prep
 %setup -q 
 %patch1 -p1
-# svn/git patches
 %patch2 -p1
-%patch4 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch3 -p1
-%patch5 -p1
-%patch15 -p1
 
 %build
 %configure  --with-ldns= --with-libevent --with-pthreads --with-ssl \
-            --disable-rpath --enable-debug --disable-static \
+            --disable-rpath --disable-static \
             --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
             --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
 %if %{with_python}
             --with-pythonmodule --with-pyunbound \
 %endif
-            --enable-sha2
+            --enable-sha2 --disable-gost
 %{__make} %{?_smp_mflags}
 
 %install
@@ -140,18 +113,18 @@ install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
 install -d 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
 install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
 install -d 0755 %{buildroot}%{_datadir}/munin/plugins/
-install -m 0755 contrib/unbound_munin_ %{buildroot}%{_datadir}/munin/plugins/unbound
+install -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
 for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
     ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
 done 
 
-# install DLV key
-install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/
+# install root and DLV key
+install -m 0644 %{SOURCE5} %{SOURCE6} %{buildroot}%{_sysconfdir}/unbound/
 
 # remove static library from install (fedora packaging guidelines)
 rm -rf %{buildroot}%{_libdir}/*.la
 %if %{with_python}
-rm -rf %{buildroot}%{python_sitelib}/*/*.la
+rm -rf %{buildroot}%{python_sitearch}/*/*.la
 %endif
 
 mkdir -p %{buildroot}%{_localstatedir}/run/unbound
@@ -164,15 +137,18 @@ rm -rf ${RPM_BUILD_ROOT}
 %doc doc/README doc/CREDITS doc/LICENSE doc/FEATURES
 %attr(0755,root,root) %{_initrddir}/%{name}
 %attr(0755,root,root) %dir %{_sysconfdir}/%{name}
-%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
+%ghost %attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %{_sbindir}/*
 %{_mandir}/*/*
 
 %if %{with_python}
 %files python
-%{python_sitelib}/*
+%{python_sitearch}/*
+%doc libunbound/python/examples/*
+%doc pythonmod/examples/*
 %endif
 
 %files munin
@@ -222,6 +198,17 @@ fi
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
+- Upgraded to 1.4.13
+- Added root key for DNSSEC
+- Removed merged in pythonmod patch
+- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
+- Enabled python module
+- No longer enable --enable-debug as it causes degraded performance
+  under load.
+- Updated stock unbound.conf for new options introduced
+- Added ghost for /var/run/unbound (bz#656710)
+
 * Wed May 25 2011 Paul Wouters <paul at xelerance.com> - 1.4.4-3
 - Applied patch for CVE-2011-1922 DoS vulnerability

More information about the scm-commits mailing list