diff --git a/unbound-1.19.0.tar.gz b/unbound-1.17.1.tar.gz similarity index 48% rename from unbound-1.19.0.tar.gz rename to unbound-1.17.1.tar.gz index 7a867c361e99835ea8002ff0ee9ce8727296a47e..c98fca989ffdc2c9293d36dd67e9e971b179437a 100644 Binary files a/unbound-1.19.0.tar.gz and b/unbound-1.17.1.tar.gz differ diff --git a/unbound.conf b/unbound.conf index b038b4a67ef44feaab3d8f274eb4a4bd70a30c1f..54c4d7b2533416aeef78a77140f16eb8081704f3 100644 --- a/unbound.conf +++ b/unbound.conf @@ -161,8 +161,10 @@ server: # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). - # Suggested values are 512 to 4096. Default is 1232. 65536 disables it. - # max-udp-size: 1232 + # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. + # 3072 causes +dnssec any isc.org queries to need TC=1. + # Helps mitigating DDOS + max-udp-size: 3072 # max memory to use for stream(tcp and tls) waiting result buffers. # stream-wait-size: 4m @@ -261,18 +263,6 @@ server: # Enable IPv6, "yes" or "no". # do-ip6: yes - # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in - # the network, unbound can use NAT64 to reach these servers with - # the following option. This is NOT needed for enabling DNS64 on a - # system that has IPv4 connectivity. - # Consider also enabling prefer-ip6 to prefer native IPv6 connections - # to nameservers. - # do-nat64: no - - # NAT64 prefix. Defaults to using dns64-prefix value. - # nat64-prefix: 64:ff9b::0/96 - # Enable UDP, "yes" or "no". # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. @@ -306,10 +296,6 @@ server: # Timeout for EDNS TCP keepalive, in msec. # edns-tcp-keepalive-timeout: 120000 - # UDP queries that have waited in the socket buffer for a long time - # can be dropped. Default is 0, disabled. In seconds, such as 3. - # sock-queue-timeout: 0 - # Fedora note: do not activate this - not compiled in because # it causes frequent unbound crashes. Also, socket activation # is bad when you have things like dnsmasq also running with libvirt. @@ -543,10 +529,6 @@ server: # to validate the zone. # harden-algo-downgrade: no - # Harden against unknown records in the authority section and the - # additional section. - # harden-unknown-additional: no - # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE # to A when possible. @@ -860,8 +842,6 @@ server: # o always_transparent, always_refuse, always_nxdomain, always_nodata, # always_deny resolve in that way but ignore local data for # that name - # o block_a resolves all records normally but returns - # NODATA for A queries and ignores local data for that name # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # @@ -1285,10 +1265,6 @@ auth-zone: # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 -# # if the server uses a unix socket, set its path, or "" when not used. -# # redis-server-path: "/var/lib/redis/redis-server.sock" -# # if the server uses an AUTH password, specify here, or "" when not used. -# # redis-server-password: "" # # timeout (in ms) for communication with the redis server # redis-timeout: 100 # # set timeout on redis records based on DNS response TTL diff --git a/unbound.spec b/unbound.spec index 70b2b4f216658ef5a0933f72751fe650dd1989b5..e2ebea355a071524e601fb3e216df2e6e7580734 100644 --- a/unbound.spec +++ b/unbound.spec @@ -1,7 +1,7 @@ %{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete} Name: unbound -Version: 1.19.0 +Version: 1.17.1 Release: 1 Summary: Unbound is a validating, recursive, caching DNS resolver License: BSD-3-Clause @@ -234,12 +234,6 @@ popd %{_mandir}/man* %changelog -* Tue Dec 26 2023 gaihuiying - 1.19.0-1 -- Type:requirement -- CVE:NA -- SUG:NA -- DESC:update to 1.19.0 - * Tue Mar 07 2023 gaihuiying - 1.17.1-1 - Type:requirement - CVE:NA