[unbound] * Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1 - Upgraded to 1.4.14 for CVE-2011-45
Paul Wouters
pwouters at fedoraproject.org
Mon Dec 19 15:30:30 UTC 2011
commit 9af263621b904fce2984c63001c41eb7fb90ba34
Author: Paul Wouters <paul at xelerance.com>
Date: Mon Dec 19 10:29:22 2011 -0500
* Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
- SSL-wrapped query support for dnssec-trigger
- EDNS handling changes
- Removed integrated EDNS patches
- Disabled use-caps-for-id, GoDaddy domains now break on it
- Enabled new harden-below-nxdomain
unbound.conf | 40 +++++++++++++++++++++++++++++-----------
unbound.spec | 7 ++++---
2 files changed, 33 insertions(+), 14 deletions(-)
---
diff --git a/unbound.conf b/unbound.conf
index 5d73c55..99bc8d6 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -60,7 +60,7 @@ server:
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously.
- # outgoing-range: 256
+ # outgoing-range: 4096
# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -83,6 +83,10 @@ server:
# 0 is system default. Use 4m to catch query spikes for busy servers.
# so-rcvbuf: 0
+ # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
+ # 0 is system default. Use 4m to handle spikes on very busy servers.
+ # so-sndbuf: 0
+
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
@@ -123,24 +127,18 @@ server:
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
- # the time to live (TTL) value for cached roundtrip times and
- # EDNS version information for hosts. In seconds.
+ # the time to live (TTL) value for cached roundtrip times, lameness
+ # and EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
- # the time to live (TTL) value for cached lame delegations. In sec.
- # infra-lame-ttl: 900
-
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# infra-cache-slabs: 4
- # the maximum number of hosts that are cached (roundtrip times, EDNS).
+ # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
- # the maximum size of the lame zones cached per host. in bytes.
- # infra-cache-lame-size: 10k
-
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@@ -153,6 +151,10 @@ server:
# Enable TCP, "yes" or "no".
# do-tcp: yes
+ # upstream connections use TCP only (and no UDP), "yes" or "no"
+ # useful for tunneling scenarios, default no.
+ # tcp-upstream: no
+
# Detach from the terminal, run in background, "yes" or "no".
# do-daemonize: yes
@@ -258,6 +260,9 @@ server:
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
+ # Harden against queries that fall under dnssec-signed nxdomain names.
+ harden-below-nxdomain: yes
+
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
@@ -266,7 +271,8 @@ server:
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
- use-caps-for-id: yes
+ # (this now fails on all GoDaddy customer domains, so disabled)
+ use-caps-for-id: no
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -412,6 +418,7 @@ server:
# o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
+ # o typetransparent resolves normally for other types and other names
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@@ -438,6 +445,17 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ # service clients over SSL (on the TCP sockets), with plain DNS inside
+ # the SSL stream. Give the certificate to use and private key.
+ # default is "" (disabled). requires restart to take effect.
+ # ssl-service-key: "path/to/privatekeyfile.key"
+ # ssl-service-pem: "path/to/publiccertfile.pem"
+ # ssl-port: 443
+
+ # request upstream over SSL (with plain DNS inside the SSL stream).
+ # Default is no. Can be turned on and off with unbound-control.
+ # ssl-upstream: no
+
## Python config section. To enable:
## o use --with-pythonmodule to configure before compiling.
## o list python in the module-config string (above) to enable.
diff --git a/unbound.spec b/unbound.spec
index a4003e6..2a2dcb3 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -22,7 +22,6 @@ Source6: dlv.isc.org.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.13-edns1480.patch
Group: System Environment/Daemons
BuildRequires: flex, openssl-devel , ldns-devel >= 1.5.0,
@@ -95,7 +94,6 @@ Python modules and extensions for unbound
%prep
%setup -q
%patch1 -p1
-%patch2 -p0
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -222,10 +220,13 @@ fi
/bin/systemctl try-restart unbound-keygen.service >/dev/null 2>&1 || :
%changelog
-* Mon Dec 19 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-2
+* Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
- SSL-wrapped query support for dnssec-trigger
- EDNS handling changes
+- Removed integrated EDNS patches
+- Disabled use-caps-for-id, GoDaddy domains now break on it
+- Enabled new harden-below-nxdomain
* Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
- Upgraded to 1.4.13
More information about the scm-commits
mailing list