diff --git a/unbound-1.17.1.tar.gz b/unbound-1.19.0.tar.gz similarity index 48% rename from unbound-1.17.1.tar.gz rename to unbound-1.19.0.tar.gz index c98fca989ffdc2c9293d36dd67e9e971b179437a..7a867c361e99835ea8002ff0ee9ce8727296a47e 100644 Binary files a/unbound-1.17.1.tar.gz and b/unbound-1.19.0.tar.gz differ diff --git a/unbound.conf b/unbound.conf index 54c4d7b2533416aeef78a77140f16eb8081704f3..b038b4a67ef44feaab3d8f274eb4a4bd70a30c1f 100644 --- a/unbound.conf +++ b/unbound.conf @@ -161,10 +161,8 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. - # 3072 causes +dnssec any isc.org queries to need TC=1. - # Helps mitigating DDOS - max-udp-size: 3072 + # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. + # max-udp-size: 1232 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m @@ -263,6 +261,18 @@ server: # Enable IPv6, "yes" or "no". # do-ip6: yes + # If running unbound on an IPv6-only host, domains that only have + # IPv4 servers would become unresolveable. If NAT64 is available in + # the network, unbound can use NAT64 to reach these servers with + # the following option. This is NOT needed for enabling DNS64 on a + # system that has IPv4 connectivity. + # Consider also enabling prefer-ip6 to prefer native IPv6 connections + # to nameservers. + # do-nat64: no + + # NAT64 prefix. Defaults to using dns64-prefix value. + # nat64-prefix: 64:ff9b::0/96 + # Enable UDP, "yes" or "no". # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. @@ -296,6 +306,10 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 + # UDP queries that have waited in the socket buffer for a long time + # can be dropped. Default is 0, disabled. In seconds, such as 3. + # sock-queue-timeout: 0 + # Fedora note: do not activate this - not compiled in because # it causes frequent unbound crashes. Also, socket activation # is bad when you have things like dnsmasq also running with libvirt. @@ -529,6 +543,10 @@ server: # to validate the zone. # harden-algo-downgrade: no + # Harden against unknown records in the authority section and the + # additional section. + # harden-unknown-additional: no + # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -842,6 +860,8 @@ server: # o always_transparent, always_refuse, always_nxdomain, always_nodata, # always_deny resolve in that way but ignore local data for # that name + # o block_a resolves all records normally but returns + # NODATA for A queries and ignores local data for that name # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # @@ -1265,6 +1285,10 @@ auth-zone: # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 +# # if the server uses a unix socket, set its path, or "" when not used. +# # redis-server-path: "/var/lib/redis/redis-server.sock" +# # if the server uses an AUTH password, specify here, or "" when not used. +# # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # set timeout on redis records based on DNS response TTL diff --git a/unbound.spec b/unbound.spec index e2ebea355a071524e601fb3e216df2e6e7580734..70b2b4f216658ef5a0933f72751fe650dd1989b5 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ %{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete} Name: unbound -Version: 1.17.1 +Version: 1.19.0 Release: 1 Summary: Unbound is a validating, recursive, caching DNS resolver License: BSD-3-Clause @@ -234,6 +234,12 @@ popd %{_mandir}/man* %changelog +* Tue Dec 26 2023 gaihuiying - 1.19.0-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:update to 1.19.0 + * Tue Mar 07 2023 gaihuiying - 1.17.1-1 - Type:requirement - CVE:NA