Bug 2087120

Summary: [rebase] Rebase to 1.16.0
Product: Red Hat Enterprise Linux 9 Reporter: Petr Menšík <pemensik>
Component: unboundAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Petr Sklenar <psklenar>
Severity: unspecified Docs Contact: Šárka Jana <sjanderk>
Priority: unspecified    
Version: 9.1CC: gfialova, psklenar, sjanderk
Target Milestone: rcKeywords: Rebase, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: unbound-1.16.2-2.el9 Doc Type: Enhancement
Doc Text:
.`unbound` rebased to version 1.16.2 The `unbound` component has been updated to version 1.16.2. `unbound` is a validating, recursive, and caching DNS resolver. Notable improvements include: * With the ZONEMD Zone Verification with `RFC 8976` support, recipients can now verify the zone contents for data integrity and origin authenticity. * With `unbound`, you can now configure persistent TCP connections. * The SVCB and HTTPS types and handling according to the Service binding and parameter specification through the DNS `draft-ietf-dnsop-svcb-https` document were added. * `unbound` takes the default TLS ciphers from crypto policies. * You can use a Special-Use Domain `home.arpa.` according to the `RFC8375`. This domain is designated for non-unique use in residential home networks. * `unbound` now supports selective enabling of `tcp-upstream` queries for stub or forward zones. * The default of `aggressive-nsec` option is now `yes`. * The `ratelimit` logic was updated. * You can use a new `rpz-signal-nxdomain-ra` option for unsetting the `RA` flag when a query is blocked by an Unbound response policy zone (RPZ) nxdomain reply. * With the basic support for Extended DNS Errors (EDE) according to the `RFC8914`, you can benefit from additional error information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:15:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1981415, 2023549, 2071543, 2116733, 2116734, 2135933    
Deadline: 2022-06-20   

Description Petr Menšík 2022-05-17 11:23:53 UTC 
Description of problem:
I would like to update to the latest version of unbound, 1.15.0. No ABI/API break were done, it would be self-contained change.

Version-Release number of selected component (if applicable):
1.15.0

Few new features since current 1.13.1 version:

- ZONEMD Zone Verification, with RFC 8976 support.
- Allow configuration of persistent TCP connections.
- Add SVCB and HTTPS types and handling according to draft-ietf-dnsop-svcb-https
- Default TLS ciphers taken from crypto-policies
- RFC8375: Special-Use Domain 'home.arpa.'
- Support for selective enabling tcp-upstream for stub/forward zones.
- Change aggressive-nsec default to yes.
- Update ratelimit logic.
- unset the RA bit when a query is blocked by an unbound RPZ nxdomain reply.

And a long list of bug fixes not listed here.


Additional info:
Full changelog: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
Comment 1 Petr Menšík 2022-06-09 12:11:48 UTC 
New release also adds support for EDE.

https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0
Comment 14 errata-xmlrpc 2022-11-15 10:15:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8062