rpms/unbound/devel .cvsignore, 1.12, 1.13 sources, 1.15, 1.16 unbound.conf, 1.9, 1.10 unbound.spec, 1.40, 1.41
Paul Wouters
pwouters at fedoraproject.org
Tue Mar 9 15:48:42 UTC 2010
Author: pwouters
Update of /cvs/extras/rpms/unbound/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5437
Modified Files:
.cvsignore sources unbound.conf unbound.spec
Log Message:
* Tue Mar 09 2010 Paul Wouters <paul at xelerance.com> - 1.4.2-1
- Updated to 1.4.2
- Updated unbound.conf with new options
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
- Enabled logging of DNSSEC validation errors
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -p -r1.12 -r1.13
--- .cvsignore 5 Jan 2010 23:07:01 -0000 1.12
+++ .cvsignore 9 Mar 2010 15:48:42 -0000 1.13
@@ -7,3 +7,4 @@ unbound-1.3.1.tar.gz
unbound-1.3.3.tar.gz
unbound-1.3.4.tar.gz
unbound-1.4.1.tar.gz
+unbound-1.4.2.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/sources,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -p -r1.15 -r1.16
--- sources 5 Jan 2010 23:07:02 -0000 1.15
+++ sources 9 Mar 2010 15:48:42 -0000 1.16
@@ -1 +1,2 @@
1e03ef9618e4bca02005bd99bc6af75c unbound-1.4.1.tar.gz
+9d9ff135b5ff2003c55c089cfe34e3e6 unbound-1.4.2.tar.gz
Index: unbound.conf
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.conf,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -p -r1.9 -r1.10
--- unbound.conf 23 Feb 2010 20:32:08 -0000 1.9
+++ unbound.conf 9 Mar 2010 15:48:42 -0000 1.10
@@ -78,7 +78,15 @@ server:
# number of incoming simultaneous tcp buffers to hold per thread.
# incoming-num-tcp: 10
-
+
+ # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+ # 0 is system default. Use 4m to catch query spikes for busy servers.
+ # so-rcvbuf: 0
+
+ # EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+ # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
+ # edns-buffer-size: 4096
+
# buffer size for handling DNS data. No messages larger than this
# size can be sent or received, by UDP or TCP. In bytes.
# msg-buffer-size: 65552
@@ -106,7 +114,11 @@ server:
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# rrset-cache-slabs: 4
-
+
+ # the time to live (TTL) value lower bound, in seconds. Default 0.
+ # If more than an hour could easily give trouble due to stale data.
+ # cache-min-ttl: 0
+
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
@@ -199,6 +211,9 @@ server:
# log to, with identity "unbound". If yes, it overrides the logfile.
# use-syslog: yes
+ # print UTC timestamp in ascii to logfile, default is epoch in seconds.
+ log-time-ascii: yes
+
# the pid file. Can be an absolute path outside of chroot/work dir.
pidfile: "/var/run/unbound/unbound.pid"
@@ -284,7 +299,13 @@ server:
# if yes, the above default do-not-query-address entries are present.
# if no, localhost can be queried (for testing and debugging).
# do-not-query-localhost: yes
-
+
+ # if yes, perform prefetching of almost expired message cache entries.
+ prefetch: yes
+
+ # if yes, perform key lookups adjacent to normal lookups.
+ prefetch-key: yes
+
# module configuration of the server. A string with identifiers
# separated by spaces. "iterator" or "validator iterator"
# module-config: "validator iterator"
@@ -299,6 +320,11 @@ server:
# Zone file format, with DS and DNSKEY entries.
# trust-anchor-file: ""
+ # File with trusted keys, kept uptodate using RFC5011 probes,
+ # initial file like trust-anchor-file, then it stores metadata.
+ # Use several entries, one per domain name, to track multiple zones.
+ # auto-trust-anchor-file: ""
+
# Trusted key for validation. DS or DNSKEY. specify the RR on a
# single line, surrounded by "". TTL is ignored. class is IN default.
# (These examples are from August 2007 and may not be valid anymore).
@@ -310,7 +336,10 @@ server:
# but has a different file format. Format is BIND-9 style format,
# the trusted-keys { name flag proto algo "key"; }; clauses are read.
# trusted-keys-file: ""
-
+
+ # Ignore chain of trust. Domain is treated as insecure.
+ # domain-insecure: "example.com"
+
# Override the date for validation with a specific fixed date.
# Do not set this unless you are debugging signature inception
# and expiration. "" or "0" turns the feature off.
@@ -319,7 +348,13 @@ server:
# The time to live for bogus data, rrsets and messages. This avoids
# some of the revalidation, until the time interval expires. in secs.
# val-bogus-ttl: 60
-
+
+ # The signature inception and expiration dates are allowed to be off
+ # by 10% of the lifetime of the signature from our local clock.
+ # This leeway is capped with a minimum and a maximum. In seconds.
+ # val-sig-skew-min: 3600
+ # val-sig-skew-max: 86400
+
# Should additional section of secure message also be kept clean of
# unsecure data. Useful to shield the users of this validator from
# potential bogus data in the additional section. All unsigned data
@@ -333,6 +368,10 @@ server:
# replies if the message is found secure. The default is off.
# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
val-permissive-mode: no
+
+ # Have the validator log failed validations for your diagnosis.
+ # 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+ val-log-level: 1
# It is possible to configure NSEC3 maximum iteration counts per
# keysize. Keep this table very short, as linear search is done.
@@ -340,6 +379,16 @@ server:
# List in ascending order the keysize and count values.
# val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500"
+ # instruct the auto-trust-anchor-file probing to add anchors after ttl.
+ # add-holddown: 2592000 # 30 days
+
+ # instruct the auto-trust-anchor-file probing to del anchors after ttl.
+ # del-holddown: 2592000 # 30 days
+
+ # auto-trust-anchor-file probing removes missing anchors after ttl.
+ # If the value 0 is given, missing anchors are not removed.
+ # keep-missing: 31622400 # 366 days
+
# the amount of memory to use for the key cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# key-cache-size: 4m
@@ -359,7 +408,7 @@ server:
# o deny serves local data (if any), else, drops queries.
# o refuse serves local data (if any), else, replies with error.
# o static serves local data, else, nxdomain or nodata answer.
- # o transparent serves local data, else, resolves normally .
+ # o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
#
@@ -388,6 +437,15 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+## Python config section. To enable:
+## o use --with-pythonmodule to configure before compiling.
+## o list python in the module-config string (above) to enable.
+## o and give a python-script to run.
+#python:
+# # Script file to load
+# # python-script: "/etc/unbound/ubmodule-tst.py"
+
+
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
Index: unbound.spec
===================================================================
RCS file: /cvs/extras/rpms/unbound/devel/unbound.spec,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -p -r1.40 -r1.41
--- unbound.spec 1 Mar 2010 16:22:27 -0000 1.40
+++ unbound.spec 9 Mar 2010 15:48:42 -0000 1.41
@@ -8,8 +8,8 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.4.1
-Release: 5%{?dist}
+Version: 1.4.2
+Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
Source: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz
@@ -192,6 +192,13 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Mar 09 2010 Paul Wouters <paul at xelerance.com> - 1.4.2-1
+- Updated to 1.4.2
+- Updated unbound.conf with new options
+- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
+- Enabled re-fetching popular records before they expire
+- Enabled logging of DNSSEC validation errors
+
* Mon Mar 01 2010 Paul Wouters <paul at xelerance.com> - 1.4.1-5
- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
with pthreads
More information about the scm-commits
mailing list