rpms/unbound/EL-5 dlv.isc.org.key, NONE, 1.1 sources, 1.6, 1.7 unbound.conf, 1.3, 1.4 unbound.spec, 1.11, 1.12
Paul Wouters
pwouters at fedoraproject.org
Wed Apr 7 17:03:27 UTC 2010
- Previous message: rpms/curl/F-13 curl-7.20.0-19ca0c0.patch, NONE, 1.1 curl-7.20.0-b4ff6d3.patch, NONE, 1.1 curl-7.20.0-ef1ac36.patch, NONE, 1.1 curl-7.20.0-ff87111.patch, NONE, 1.1 curl.spec, 1.142, 1.143
- Next message: rpms/cabal-install/F-13 cabal-install.spec,1.11,1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: pwouters
Update of /cvs/extras/rpms/unbound/EL-5
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv16564
Modified Files:
sources unbound.conf unbound.spec
Added Files:
dlv.isc.org.key
Log Message:
* Wed Apr 07 2010 Paul Wouters <paul at xelerance.com> - 1.4.3-1
- Upgrade to 1.4.3
- Updated unbound.conf file
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
- Enabled logging of DNSSEC validation errors
- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
with pthreads
- Removed dependancy for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %post
- Changed %define to %global
--- NEW FILE dlv.isc.org.key ---
; https://secure.isc.org/ops/dlv/dlv.isc.org.key
dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/sources,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- sources 9 Oct 2009 03:34:04 -0000 1.6
+++ sources 7 Apr 2010 17:03:26 -0000 1.7
@@ -1,3 +1 @@
-5437f2a1e698d8aa73ba19a60662a654 unbound-1.2.1.tar.gz
-783325c26ae1a47be0e496c94f3e1cca unbound-1.3.0.tar.gz
-d1eb5efed0c36c10dbaf3f805ff3a4bd unbound-1.3.4.tar.gz
+2dffdd42f94b8238447a41835439d129 unbound-1.4.3.tar.gz
Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/unbound.conf,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -p -r1.3 -r1.4
--- unbound.conf 21 Jan 2009 01:33:47 -0000 1.3
+++ unbound.conf 7 Apr 2010 17:03:26 -0000 1.4
@@ -10,15 +10,6 @@
server:
# whitespace is not necessary, but looks cleaner.
- # To enable DNSSEC trust anchors, install the dnssec-keys package and
- # uncomment the line below, or run dnssec-configure -h for more options
- # trusted-keys-file: "/etc/pki/dnssec/production.conf"
-
- # To enable DLV trust anchor with DLV, install the dnssec-keys package
- # and uncomment the line below, or run dnssec-configure -h for more
- # options
- # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv/dlv.isc.org.key"
-
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
@@ -87,7 +78,15 @@ server:
# number of incoming simultaneous tcp buffers to hold per thread.
# incoming-num-tcp: 10
-
+
+ # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+ # 0 is system default. Use 4m to catch query spikes for busy servers.
+ # so-rcvbuf: 0
+
+ # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+ # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+ # edns-buffer-size: 4096
+
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
@@ -115,7 +114,11 @@ server:
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# rrset-cache-slabs: 4
-
+
+ # the time to live (TTL) value lower bound, in seconds. Default 0.
+ # If more than an hour could easily give trouble due to stale data.
+ # cache-min-ttl: 0
+
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
@@ -208,6 +211,9 @@ server:
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
+ # print UTC timestamp in ascii to logfile, default is epoch in seconds.
+ log-time-ascii: yes
+
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
@@ -293,21 +299,32 @@ server:
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# do-not-query-localhost: yes
-
+
+ # if yes, perform prefetching of almost expired message cache entries.
+ prefetch: yes
+
+ # if yes, perform key lookups adjacent to normal lookups.
+ prefetch-key: yes
+
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
# File with DLV trusted keys. Same format as trust-anchor-file.
# There can be only one DLV configured, it is trusted from root down.
- # Download https://secure.isc.org/ops/dlv/dlv.isc.org.key
- # dlv-anchor-file: "/etc/pki/dnssec-keys/dlv.isc.org.key"
+ # Downloaded from https://secure.isc.org/ops/dlv/dlv.isc.org.key
+ dlv-anchor-file: "/etc/unbound/dlv.isc.org.key"
# File with trusted keys for validation. Specify more than one file
# with several entries, one file per entry.
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ # auto-trust-anchor-file: ""
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
@@ -319,7 +336,10 @@ server:
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
-
+
+ # Ignore chain of trust. Domain is treated as insecure.
+ # domain-insecure: "example.com"
+
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
@@ -328,7 +348,13 @@ server:
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
# val-bogus-ttl: 60
-
+
+ # The signature inception and expiration dates are allowed to be off
+ # by 10% of the lifetime of the signature from our local clock.
+ # This leeway is capped with a minimum and a maximum. In seconds.
+ # val-sig-skew-min: 3600
+ # val-sig-skew-max: 86400
+
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@@ -342,6 +368,10 @@ server:
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
+
+ # Have the validator log failed validations for your diagnosis.
+ # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -349,6 +379,16 @@ server:
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+ # instruct the auto-trust-anchor-file probing to add anchors after ttl.
+ # add-holddown: 2592000 # 30 days
+
+ # instruct the auto-trust-anchor-file probing to del anchors after ttl.
+ # del-holddown: 2592000 # 30 days
+
+ # auto-trust-anchor-file probing removes missing anchors after ttl.
+ # If the value 0 is given, missing anchors are not removed.
+ # keep-missing: 31622400 # 366 days
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -368,7 +408,7 @@ server:
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
- # o transparent serves local data, else, resolves normally .
+ # o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
#
@@ -397,6 +437,15 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+## Python config section. To enable:
+## o use --with-pythonmodule to configure before compiling.
+## o list python in the module-config string (above) to enable.
+## o and give a python-script to run.
+#python:
+# # Script file to load
+# # python-script: "/etc/unbound/ubmodule-tst.py"
+
+
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/EL-5/unbound.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -p -r1.11 -r1.12
--- unbound.spec 7 Apr 2010 16:54:30 -0000 1.11
+++ unbound.spec 7 Apr 2010 17:03:26 -0000 1.12
@@ -1,5 +1,5 @@
# not ready yet
-%{?!with_python: %define with_python 0}
+%{?!with_python: %global with_python 0}
%if %{with_python}
%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
@@ -8,27 +8,33 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.3.4
-Release: 1%{?dist}.1
+Version: 1.4.3
+Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
Source1: unbound.init
Source2: unbound.conf
Source3: unbound.munin
+Source4: dlv.isc.org.key
Patch1: unbound-1.2-glob.patch
+
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: flex, openssl-devel, ldns-devel >= 1.5.0, libevent-devel
+BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
+BuildRequires: libevent-devel
%if %{with_python}
-BuildRequires: python-devel
+BuildRequires: python-devel swig
%endif
+# Required for SVN versions
+#BuildRequires: bison
+
+
Requires(post): chkconfig
Requires(preun): chkconfig
Requires(preun): initscripts
Requires(postun): initscripts
-Requires: ldns >= 1.5.0, dnssec-conf >= 1.19
-Requires: openssl >= 0.9.8e-7
+Requires: ldns >= 1.5.0
Requires(pre): shadow-utils
%description
@@ -55,7 +61,6 @@ Plugin for the munin / munin-node monito
Summary: Development package that includes the unbound header files
Group: Development/Libraries
Requires: %{name}-libs = %{version}-%{release}, openssl-devel, ldns-devel
-Requires: libevent-devel
%description devel
The devel package contains the unbound library and the include files
@@ -92,12 +97,12 @@ Python modules and extensions for unboun
--with-pythonmodule --with-pyunbound \
%endif
--enable-sha2
-%{__make} CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" QUIET=no %{?_smp_mflags}
+%{__make} %{?_smp_mflags}
%install
rm -rf %{buildroot}
%{__make} DESTDIR=%{buildroot} install
-install -d 0755 %{buildroot}%{_initrddir} %{buildroot}%{_localstatedir}/run/%{name}
+install -d 0755 %{buildroot}%{_initrddir}
install -m 0755 %{SOURCE1} %{buildroot}%{_initrddir}/unbound
install -m 0755 %{SOURCE2} %{buildroot}%{_sysconfdir}/unbound
# Install munin plugin and its softlinks
@@ -107,10 +112,18 @@ install -d 0755 %{buildroot}%{_datadir}/
install -m 0755 contrib/unbound_munin_ %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
-done
+done
+
+# install DLV key
+install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/unbound/
# remove static library from install (fedora packaging guidelines)
rm -rf %{buildroot}%{_libdir}/*.la
+%if %{with_python}
+rm -rf %{buildroot}%{python_sitelib}/*/*.la
+%endif
+
+mkdir -p %{buildroot}%{_localstatedir}/run/unbound
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -122,6 +135,7 @@ rm -rf ${RPM_BUILD_ROOT}
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%attr(0755,unbound,unbound) %dir %{_localstatedir}/run/%{name}
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
%{_sbindir}/*
%{_mandir}/*/*
@@ -149,25 +163,20 @@ rm -rf ${RPM_BUILD_ROOT}
%pre
getent group unbound >/dev/null || groupadd -r unbound
getent passwd unbound >/dev/null || \
-useradd -r -g unbound -d %{_sysconfdir}/%{name} -s /sbin/nologin \
+useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
-c "Unbound DNS resolver" unbound
exit 0
-%post
+%post
/sbin/chkconfig --add %{name}
-# Check DNSSEC settings if this is a fresh install
-if [ "$1" -eq 1 ]; then
- if [ -r /etc/sysconfig/dnssec ]; then
- . /etc/sysconfig/dnssec
- [ -x /usr/sbin/dnssec-configure ] && \
- dnssec-configure -u --norestart --nocheck --dnssec="$DNSSEC" --dlv="$DLV" > \
- /dev/null 2>&1
- fi;
-fi
+# dnssec-conf used to contain our DLV key, but now we include it via unbound
+# If unbound had previously been configured with dnssec-configure, we need
+# to migrate the location of the DLV key file (to keep DLV enabled, and because
+# unbound won't start with a bad location for a DLV key file.
+sed -i "s:/etc/pki/dnssec-keys[/]*dlv:/etc/unbound:" %{_sysconfdir}/unbound/unbound.conf
%post libs -p /sbin/ldconfig
-
%preun
if [ "$1" -eq 0 ]; then
/sbin/service %{name} stop >/dev/null 2>&1
@@ -182,6 +191,19 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Wed Apr 07 2010 Paul Wouters <paul at xelerance.com> - 1.4.3-1
+- Upgrade to 1.4.3
+- Updated unbound.conf file
+- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
+- Enabled re-fetching popular records before they expire
+- Enabled logging of DNSSEC validation errors
+- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
+ with pthreads
+- Removed dependancy for dnssec-conf
+- Added ISC DLV key (formerly in dnssec-conf)
+- Fixup old DLV locations in unbound.conf file via %%post
+- Changed %%define to %%global
+
* Wed Apr 07 2010 Dennis Gilmore <dennis at ausil.us> - 1.3.4-1.1
- rebuild for libevent bump in EL-5.5
- Previous message: rpms/curl/F-13 curl-7.20.0-19ca0c0.patch, NONE, 1.1 curl-7.20.0-b4ff6d3.patch, NONE, 1.1 curl-7.20.0-ef1ac36.patch, NONE, 1.1 curl-7.20.0-ff87111.patch, NONE, 1.1 curl.spec, 1.142, 1.143
- Next message: rpms/cabal-install/F-13 cabal-install.spec,1.11,1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list