[unbound/el6] * Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1 - Upgraded to 1.4.14 for CVE-2011-45
Paul Wouters
pwouters at fedoraproject.org
Mon Dec 19 17:20:11 UTC 2011
commit 03114d2d8ad648f20e620eb43062db0e6ec9889f
Author: Paul Wouters <paul at xelerance.com>
Date: Mon Dec 19 12:14:57 2011 -0500
* Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
- SSL-wrapped query support for dnssec-trigger
- EDNS handling changes
- Removed integrated EDNS patches
- Disabled use-caps-for-id, GoDaddy domains now break on it
- Enabled new harden-below-nxdomain
Conflicts:
unbound.spec
unbound.conf | 36 +++++++++++++++++++++++++-----------
unbound.spec | 12 +++++++++---
2 files changed, 34 insertions(+), 14 deletions(-)
---
diff --git a/unbound.conf b/unbound.conf
index ae7e406..99bc8d6 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -60,7 +60,7 @@ server:
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously.
- # outgoing-range: 256
+ # outgoing-range: 4096
# permit unbound to use this port number or port range for
# making outgoing queries, using an outgoing interface.
@@ -83,6 +83,10 @@ server:
# 0 is system default. Use 4m to catch query spikes for busy servers.
# so-rcvbuf: 0
+ # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
+ # 0 is system default. Use 4m to handle spikes on very busy servers.
+ # so-sndbuf: 0
+
# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
# is set with msg-buffer-size). 1480 can solve fragmentation (timeouts).
# edns-buffer-size: 4096
@@ -123,24 +127,18 @@ server:
# cache. Items are not cached for longer. In seconds.
# cache-max-ttl: 86400
- # the time to live (TTL) value for cached roundtrip times and
- # EDNS version information for hosts. In seconds.
+ # the time to live (TTL) value for cached roundtrip times, lameness
+ # and EDNS version information for hosts. In seconds.
# infra-host-ttl: 900
- # the time to live (TTL) value for cached lame delegations. In sec.
- # infra-lame-ttl: 900
-
# the number of slabs to use for the Infrastructure cache.
# the number of slabs must be a power of 2.
# more slabs reduce lock contention, but fragment memory usage.
# infra-cache-slabs: 4
- # the maximum number of hosts that are cached (roundtrip times, EDNS).
+ # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
# infra-cache-numhosts: 10000
- # the maximum size of the lame zones cached per host. in bytes.
- # infra-cache-lame-size: 10k
-
# Enable IPv4, "yes" or "no".
# do-ip4: yes
@@ -262,6 +260,9 @@ server:
# Default on, which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
+ # Harden against queries that fall under dnssec-signed nxdomain names.
+ harden-below-nxdomain: yes
+
# Harden the referral path by performing additional queries for
# infrastructure data. Validates the replies (if possible).
# Default off, because the lookups burden the server. Experimental
@@ -270,7 +271,8 @@ server:
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# This feature is an experimental implementation of draft dns-0x20.
- use-caps-for-id: yes
+ # (this now fails on all GoDaddy customer domains, so disabled)
+ use-caps-for-id: no
# Enforce privacy of these addresses. Strips them away from answers.
# It may cause DNSSEC validation to additionally mark it as bogus.
@@ -416,6 +418,7 @@ server:
# o transparent serves local data, but resolves normally for other names
# o redirect serves the zone data for any subdomain in the zone.
# o nodefault can be used to normally resolve AS112 zones.
+ # o typetransparent resolves normally for other types and other names
#
# defaults are localhost address, reverse for 127.0.0.1 and ::1
# and nxdomain for AS112 zones. If you configure one of these zones
@@ -442,6 +445,17 @@ server:
# you need to do the reverse notation yourself.
# local-data-ptr: "192.0.2.3 www.example.com"
+ # service clients over SSL (on the TCP sockets), with plain DNS inside
+ # the SSL stream. Give the certificate to use and private key.
+ # default is "" (disabled). requires restart to take effect.
+ # ssl-service-key: "path/to/privatekeyfile.key"
+ # ssl-service-pem: "path/to/publiccertfile.pem"
+ # ssl-port: 443
+
+ # request upstream over SSL (with plain DNS inside the SSL stream).
+ # Default is no. Can be turned on and off with unbound-control.
+ # ssl-upstream: no
+
## Python config section. To enable:
## o use --with-pythonmodule to configure before compiling.
## o list python in the module-config string (above) to enable.
diff --git a/unbound.spec b/unbound.spec
index 977b90a..c22cf59 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -7,7 +7,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
-Version: 1.4.13
+Version: 1.4.14
Release: 1%{?dist}
License: BSD
Url: http://www.nlnetlabs.nl/unbound/
@@ -19,7 +19,6 @@ Source4: unbound_munin_
Source5: root.key
Source6: dlv.isc.org.key
Patch1: unbound-1.2-glob.patch
-Patch2: unbound-1.4.13-edns1480.patch
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel , ldns-devel >= 1.6.9,
@@ -90,7 +89,6 @@ Python modules and extensions for unbound
%prep
%setup -q
%patch1 -p1
-%patch2 -p0
%build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \
@@ -198,6 +196,14 @@ fi
%postun libs -p /sbin/ldconfig
%changelog
+* Mon Dec 19 2011 Paul Wouters <paul at cypherpunks.ca> - 1.4.14-1
+- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
+- SSL-wrapped query support for dnssec-trigger
+- EDNS handling changes
+- Removed integrated EDNS patches
+- Disabled use-caps-for-id, GoDaddy domains now break on it
+- Enabled new harden-below-nxdomain
+
* Thu Sep 15 2011 Paul Wouters <paul at xelerance.com> - 1.4.13-1
- Upgraded to 1.4.13
- Added root key for DNSSEC
More information about the scm-commits
mailing list