From ec26998079e3e9006907d164fb6dc95d5d0124df Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Dec 11 2015 15:06:07 +0000 Subject: * Fri Dec 11 2015 Paul Wouters - 1.5.7-1 - Update to 1.5.7 - Enable query minimalization for enhanced DNS query privacy - Enable nxdomain hardening to assist with query minimalization and SBLs - Updated default unbound.conf for new features from upstream. --- diff --git a/.gitignore b/.gitignore index ca47efe..85c3c60 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,4 @@ unbound-1.4.5.tar.gz /unbound-1.5.4.tar.gz /unbound-1.5.5.tar.gz /unbound-1.5.6.tar.gz +/unbound-1.5.7.tar.gz diff --git a/sources b/sources index d96ee28..219747e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -691a34abd8e9257dd65b70f28326c1f0 unbound-1.5.6.tar.gz +a1253cbbb339dbca03404dcc58365d71 unbound-1.5.7.tar.gz diff --git a/unbound.conf b/unbound.conf index 4a97148..65480fc 100644 --- a/unbound.conf +++ b/unbound.conf @@ -6,7 +6,7 @@ #Use this to include other text into the file. #include: "otherfile.conf" -# The server clause sets the main parameters. +# The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -15,16 +15,16 @@ server: # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. - # Needed for munin plugin + # Needs to be disabled for munin plugin statistics-interval: 0 # enable cumulative statistics, without clearing them after printing. - # Needed for munin plugin - statistics-cumulative: yes + # Needs to be disabled for munin plugin + statistics-cumulative: no # enable extended statistics (query types, answer codes, status) # printed from unbound-control. default off, because of speed. - # Needed for munin plugin + # Needs to be enabled for munin plugin extended-statistics: yes # number of threads to create. 1 disables threading. @@ -33,12 +33,13 @@ server: # specify the interfaces to answer queries from by ip-address. # The default is to listen to localhost (127.0.0.1 and ::1). # specify 0.0.0.0 and ::0 to bind to all available interfaces. - # specify every interface on a new 'interface:' labelled line. + # specify every interface[@port] on a new 'interface:' labelled line. # The listen interfaces are not changed on reload, only on restart. # interface: 0.0.0.0 # interface: ::0 # interface: 192.0.2.153 # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 # # for dns over tls and raw dns over port 80 @@ -101,6 +102,10 @@ server: # use SO_REUSEPORT to distribute queries over threads. # so-reuseport: no + # use IP_TRANSPARENT so the interface: addresses can be non-local + # and you can config non-existing IPs that are going to work later on + # ip-transparent: no + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer # is set with msg-buffer-size). 1480 can solve fragmentation (timeouts). # edns-buffer-size: 4096 @@ -255,7 +260,7 @@ server: pidfile: "/var/run/unbound/unbound.pid" # file to read root hints from. - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # get one from https://www.internic.net/domain/named.cache # root-hints: "" # enable to not answer id.server and hostname.bind queries. @@ -304,11 +309,25 @@ server: # implementation of draft-wijngaards-dnsext-resolver-side-mitigation. harden-referral-path: yes + # Harden against algorithm downgrade when multiple algorithms are + # advertised in the DS record. If no, allows the weakest algorithm + # to validate the zone. + # harden-algo-downgrade: no + + # Sent minimum amount of information to upstream servers to enhance + # privacy. Only sent minimum required labels of the QNAME and set QTYPE + # to NS when possible. + qname-minimisation: yes + # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. - # (this now fails on all GoDaddy customer domains, so disabled) + # (enabling used to cause some failures, like on GoDaddy customer domains) use-caps-for-id: no + # Domains (and domains in them) without support for dns-0x20 and + # the fallback fails because they keep sending different answers. + # caps-whitelist: "licdn.com" + # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. # Protects against 'DNS Rebinding' (uses browser as network proxy). @@ -320,6 +339,7 @@ server: # private-address: 169.254.0.0/16 # private-address: fd00::/8 # private-address: fe80::/10 + # private-address: ::ffff:0:0/96 # Allow the domain (and its subdomains) to contain private addresses. # local-data statements are allowed to contain private addresses too. @@ -355,7 +375,7 @@ server: minimal-responses: yes # module configuration of the server. A string with identifiers - # separated by spaces. "iterator" or "validator iterator" + # separated by spaces. Syntax: "[dns64] [validator] iterator" # module-config: "validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -389,6 +409,7 @@ server: # Trusted key for validation. DS or DNSKEY. specify the RR on a # single line, surrounded by "". TTL is ignored. class is IN default. + # Note this gets out of date, use auto-trust-anchor-file please. # (These examples are from August 2007 and may not be valid anymore). # trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==" # trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A" @@ -397,6 +418,7 @@ server: # with several entries, one file per entry. Like trust-anchor-file # but has a different file format. Format is BIND-9 style format, # the trusted-keys { name flag proto algo "key"; }; clauses are read. + # you need external update procedures to track changes in keys. # trusted-keys-file: "" # # trusted-keys-file: /etc/unbound/rootkey.bind @@ -408,7 +430,7 @@ server: # Override the date for validation with a specific fixed date. # Do not set this unless you are debugging signature inception - # and expiration. "" or "0" turns the feature off. + # and expiration. "" or "0" turns the feature off. -1 ignores date. # val-override-date: "" # The time to live for bogus data, rrsets and messages. This avoids @@ -416,7 +438,7 @@ server: # val-bogus-ttl: 60 # The signature inception and expiration dates are allowed to be off - # by 10% of the lifetime of the signature from our local clock. + # by 10% of the signature lifetime (expir-incep) from our local clock. # This leeway is capped with a minimum and a maximum. In seconds. # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 @@ -460,6 +482,9 @@ server: # If the value 0 is given, missing anchors are not removed. # keep-missing: 31622400 # 366 days + # debug option that allows very small holddown times for key rollover + # permit-small-holddown: no + # the amount of memory to use for the key cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # key-cache-size: 4m @@ -533,6 +558,7 @@ server: # o nodefault can be used to normally resolve AS112 zones. # o typetransparent resolves normally for other types and other names # o inform resolves normally, but logs client IP address + # o inform_deny drops queries and logs client IP address # # defaults are localhost address, reverse for 127.0.0.1 and ::1 # and nxdomain for AS112 zones. If you configure one of these zones @@ -576,6 +602,26 @@ server: # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # ratelimit for uncached, new queries, this limits recursion effort. + # ratelimiting is experimental, and may help against randomqueryflood. + # if 0(default) it is disabled, otherwise state qps allowed per zone. + # ratelimit: 0 + + # ratelimits are tracked in a cache, size in bytes of cache (or k,m). + # ratelimit-size: 4m + # ratelimit cache slabs, reduces lock contention if equal to cpucount. + # ratelimit-slabs: 4 + + # 0 blocks when ratelimited, otherwise let 1/xth traffic through + # ratelimit-factor: 10 + + # override the ratelimit for a specific domain name. + # give this setting multiple times to have multiple overrides. + # ratelimit-for-domain: example.com 1000 + # override the ratelimits for all domains below a domain name + # can give this multiple times, the name closest to the zone is used. + # ratelimit-below-domain: example 1000 + # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. @@ -624,10 +670,14 @@ include: /etc/unbound/conf.d/*.conf # 'example.org' go to the given list of nameservers. list zero or more # nameservers by hostname or by ipaddress. If you set stub-prime to yes, # the list is treated as priming hints (default is no). +# With stub-first yes, it attempts without the stub if it fails. +# Consider adding domain-insecure: name and local-zone: name nodefault +# to the server: section if the stub is a locally served zone. # stub-zone: # name: "example.com" # stub-addr: 192.0.2.68 -# stub-prime: "no" +# stub-prime: no +# stub-first: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. diff --git a/unbound.spec b/unbound.spec index 2aa0bc7..22af126 100644 --- a/unbound.spec +++ b/unbound.spec @@ -20,7 +20,7 @@ Summary: Validating, recursive, and caching DNS(SEC) resolver Name: unbound -Version: 1.5.6 +Version: 1.5.7 Release: 1%{?extra_version:.%{extra_version}}%{?dist} License: BSD Url: http://www.nlnetlabs.nl/unbound/ @@ -429,6 +429,12 @@ popd %changelog +* Fri Dec 11 2015 Paul Wouters - 1.5.7-1 +- Update to 1.5.7 +- Enable query minimalization for enhanced DNS query privacy +- Enable nxdomain hardening to assist with query minimalization and SBLs +- Updated default unbound.conf for new features from upstream. + * Fri Nov 13 2015 Tomas Hozza - 1.5.6-1 - Update to 1.5.6 (#1176729)