## START: Set by rpmautospec
## (rpmautospec version 0.6.0)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
    release_number = 6;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec

%{?!with_python2:     %global with_python2     0}
%{?!with_python3:     %global with_python3     1}
%{?!with_munin:       %global with_munin       1}
%bcond_without dnstap
%bcond_with    systemd
%bcond_without doh
%bcond_with redis

%global _hardened_build 1

#global extra_version rc1

%if 0%{with_python2}
%global python_primary %{__python2}
%endif

%if 0%{with_python3}
%global python_primary %{__python3}
%endif

%if 0%{?rhel}
%global with_munin   0

%if 0%{?rhel} <= 7
%global with_python3 0
%else
%global with_python2 0
%endif
%endif

Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound
Version: 1.19.3
Release: %autorelease %{?extra_version:-e %{extra_version}}
License: BSD-3-Clause
Url: https://nlnetlabs.nl/projects/unbound/
Source: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz
Source1: unbound.service
Source3: unbound.munin
Source4: unbound_munin_
Source5: root.key
Source7: unbound-keygen.service
Source8: tmpfiles-unbound.conf
Source9: example.com.key
Source10: example.com.conf
Source11: block-example.com.conf
Source12: https://data.iana.org/root-anchors/icannbundle.pem
Source13: root.anchor
Source14: unbound.sysconfig
Source15: unbound-anchor.timer
Source16: unbound-munin.README
Source17: unbound-anchor.service
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
# source: https://nlnetlabs.nl/people/
Source19: https://keys.openpgp.org/pks/lookup?op=get&search=0x9F6F1C2D7E045F8D#/wouter.nlnetlabs.nl.key
Source20: unbound.sysusers

# Downstream configuration changes
Patch1:   unbound-fedora-config.patch
# https://github.com/NLnetLabs/unbound/pull/1048
Patch2:   unbound-1.19-autoconf-m4.patch
# https://github.com/NLnetLabs/unbound/pull/1049
Patch3:   unbound-1.19-python3.12-Py_NoSiteFlag.patch

BuildRequires: gcc, make
BuildRequires: openssl-devel
BuildRequires: libevent-devel expat-devel
BuildRequires: pkgconfig

# Required for configure regeneration
BuildRequires: automake autoconf libtool
BuildRequires: autoconf-archive
# Regenerate config parser too
BuildRequires: bison flex byacc

%if 0%{?fedora}
BuildRequires: gnupg2
%endif
%if 0%{with_python2}
BuildRequires: python2-devel swig
%endif
%if 0%{with_python3}
BuildRequires: python3-devel swig
%endif
%if %{with dnstap}
BuildRequires: fstrm-devel protobuf-c-devel
%endif
%if %{with systemd}
BuildRequires: systemd-devel
%endif
%if %{with doh}
BuildRequires: libnghttp2-devel
%endif
%if %{with redis}
BuildRequires: hiredis-devel
%endif
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
BuildRequires: systemd-rpm-macros
%else
BuildRequires: systemd
%endif

# Needed because /usr/sbin/unbound links unbound libs staticly
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: %{name}-anchor%{?_isa} = %{version}-%{release}
Recommends: %{name}-utils%{?_isa} = %{version}-%{release}
# unbound-keygen.service requires it, bug #2116790
Requires: openssl

%description
Unbound is a validating, recursive, and caching DNS(SEC) resolver.

The C implementation of Unbound is developed and maintained by NLnet
Labs. It is based on ideas and algorithms taken from a java prototype
developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also
DNSSEC (secure DNS) validation and stub-resolvers (that do not run
as a server, but are linked into an application) are easily possible.

%if %{with_munin}
%package munin
Summary: Plugin for the munin / munin-node monitoring package
Requires: munin-node
Requires: %{name} = %{version}-%{release}, bc
BuildArch: noarch

%description munin
Plugin for the munin / munin-node monitoring package
%endif

%package devel
Summary: Development package that includes the unbound header files
Requires: %{name}-libs%{?_isa} = %{version}-%{release}, openssl-devel
Requires: pkgconfig

%description devel
The devel package contains the unbound library and the include files

%package libs
Summary: Libraries used by the unbound server and client applications
Recommends: %{name}-anchor
%{?sysusers_requires_compat}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Obsoletes: python2-unbound < 1.9.3
%endif

%description libs
Contains libraries used by the unbound server and client applications.

%package anchor
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: DNSSEC trust anchor maintaining tool

%description anchor
Contains tool maintaining trust anchor using RFC 5011 key rollover algorithm.

%package utils
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Summary: Unbound DNS lookup utilities

%description utils
Contains tools for making DNS queries. Can make queries to DNS servers
also over TLS connection or validate DNSSEC signatures. Similar to
bind-utils.

%if 0%{with_python2}
%package -n python2-unbound
%{?python_provide:%python_provide python2-unbound}
Summary: Python 2 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: unbound-python = %{version}-%{release}
Obsoletes: unbound-python < %{version}-%{release}

%description -n python2-unbound
Python 2 modules and extensions for unbound
%endif

%if 0%{with_python3}
%package -n python3-unbound
Summary: Python 3 modules and extensions for unbound
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%if ! 0%{with_python2}
# Make explicit conflict with no longer provided python package
Conflicts: python2-unbound < 1.9.3
%endif

%description -n python3-unbound
Python 3 modules and extensions for unbound
%endif


%prep
%if 0%{?fedora}
%{gpgverify} --keyring='%{SOURCE19}' --signature='%{SOURCE18}' --data='%{SOURCE0}'
%endif
%global pkgname %{name}-%{version}%{?extra_version}

%if 0%{with_python2} && 0%{with_python3}
%global dir_primary %{pkgname}_python3
%global python_primary %{__python3}
%global dir_secondary %{pkgname}_python2
%global python_secondary %{__python2}
%else
%global dir_primary %{pkgname}
%endif

%autosetup -c -N -n %{pkgname}

pushd %{pkgname}
# patches go here
%autopatch -p2

# copy common doc files - after here, since it may be patched
cp -pr doc pythonmod libunbound ../

%if 0%{?rhel} > 8
  # SHA-1 breaks some tests. Disable just some tests because of that.
  # This got broken in ELN
  ls testdata/*.rpl
  for TEST in autotrust_init_fail autotrust_init_failsig; do
    mv testdata/${TEST}.rpl{,-disabled} 
  done
%endif
popd

%if 0%{with_python2} && 0%{with_python3}
mv %{pkgname} %{dir_primary}
cp -a %{dir_primary} %{dir_secondary}
%endif

%build
# ./configure script common arguments
%global configure_args --with-libevent --with-pthreads --with-ssl \\\
            --disable-rpath --disable-static \\\
            --enable-relro-now --enable-pie \\\
            --enable-subnet --enable-ipsecmod \\\
            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
            --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\
            --with-rootkey-file=%{_sharedstatedir}/%{name}/root.key \\\
            --with-username=unbound \\\
            --enable-linux-ip-local-port-range \\\


pushd %{dir_primary}

# always regenerate configure
rm -f config.h.in aclocal.m4 configure ltmain.sh
rm -f {ax_pthread,ax_swig_python}.m4
cp -p %{_datadir}/aclocal/{ax_pthread,ax_swig_python}.m4 .
# ensure bison is used to generate fresh parser
rm -f util/configparser.{c,h} util/configlexer.c
autoreconf -fiv

%configure  \
%if 0%{?python_primary:1}
            --with-pythonmodule --with-pyunbound PYTHON=%{python_primary} \
%endif
%if %{with dnstap}
            --enable-dnstap \
%endif
%if %{with systemd}
            --enable-systemd \
%endif
%if %{with doh}
            --with-libnghttp2 \
%endif
%if 0%{?rhel}
            --disable-sha1 \
%endif
%if %{with redis}
            --with-libhiredis \
            --enable-cachedb \
%endif
            %{configure_args}

%make_build
%make_build streamtcp

popd

%if 0%{?python_secondary:1}
pushd %{dir_secondary}
%configure  \
            --with-pythonmodule --with-pyunbound PYTHON=%{python_secondary} \
%if %{with dnstap}
            --enable-dnstap \
%endif
%if %{with systemd}
            --enable-systemd \
%endif
            %{configure_args}

%make_build
popd
%endif


%install
install -p -m 0644 %{SOURCE16} .

%if 0%{?python_secondary:1}
# install first secondary build. It will be overwritten by primary
pushd %{dir_secondary}
%make_install unbound-event-install
popd
%endif

pushd %{dir_primary}
%make_install unbound-event-install
install -m 0755 streamtcp %{buildroot}%{_sbindir}/unbound-streamtcp
install -p -m 0644 doc/example.conf %{buildroot}%{_sysconfdir}/unbound/unbound.conf
popd

install -d -m 0755 %{buildroot}%{_unitdir} %{buildroot}%{_sysconfdir}/sysconfig
install -p -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/unbound.service
install -p -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/unbound-keygen.service
install -p -m 0644 %{SOURCE15} %{buildroot}%{_unitdir}/unbound-anchor.timer
install -p -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/unbound-anchor.service
install -p -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/unbound
install -p -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/sysconfig/unbound
install -p -D -m 0644 %{SOURCE20} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with_munin}
# Install munin plugin and its softlinks
install -d -m 0755 %{buildroot}%{_sysconfdir}/munin/plugin-conf.d
install -p -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/munin/plugin-conf.d/unbound
install -d -m 0755 %{buildroot}%{_datadir}/munin/plugins/
install -p -m 0755 %{SOURCE4} %{buildroot}%{_datadir}/munin/plugins/unbound
for plugin in unbound_munin_hits unbound_munin_queue unbound_munin_memory unbound_munin_by_type unbound_munin_by_class unbound_munin_by_opcode unbound_munin_by_rcode unbound_munin_by_flags unbound_munin_histogram; do
    ln -s unbound %{buildroot}%{_datadir}/munin/plugins/$plugin
done
%endif

pushd %{dir_primary}
# install streamtcp man page
install -m 0644 testcode/streamtcp.1 %{buildroot}/%{_mandir}/man1/unbound-streamtcp.1
install -D -m 0644 contrib/libunbound.pc %{buildroot}/%{_libdir}/pkgconfig/libunbound.pc
popd

# Install tmpfiles.d config
install -d -m 0755 %{buildroot}%{_tmpfilesdir} %{buildroot}%{_sharedstatedir}/unbound
install -m 0644 %{SOURCE8} %{buildroot}%{_tmpfilesdir}/unbound.conf

# install root - we keep a copy of the root key in old location,
# in case user has changed the configuration and we wouldn't update it there
install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/unbound/
install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/unbound/dnssec-root.key
# make initial key static
pushd %{buildroot}%{_sharedstatedir}/unbound
  KEYPATH=$(realpath --relative-to="%{buildroot}%{_sharedstatedir}/unbound" "%{buildroot}%{_sysconfdir}/unbound/dnssec-root.key")
  ln -s "$KEYPATH" root.key
popd

# remove static library from install (fedora packaging guidelines)
rm %{buildroot}%{_libdir}/*.la


%if 0%{with_python2}
rm %{buildroot}%{python2_sitearch}/*.la
%endif

%if 0%{with_python3}
rm %{buildroot}%{python3_sitearch}/*.la
%endif

mkdir -p %{buildroot}%{_rundir}/unbound

# Install directories for easier config file drop in

mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
install -p -m 0644 %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
install -p -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
install -p -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/

# Link unbound-control-setup.8 manpage to unbound-control.8
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8


%pre libs
%sysusers_create_compat %{SOURCE20}

%post
%systemd_post unbound.service
%systemd_post unbound-keygen.service

%post anchor
%systemd_post unbound-anchor.service unbound-anchor.timer
# start the timer only if installing the package to prevent starting it, if it was stopped on purpose
if [ "$1" -eq 1 ]; then
    # the Unit is in presets, but would be started after reboot
    /bin/systemctl start unbound-anchor.timer >/dev/null 2>&1 || :
fi

%preun
%systemd_preun unbound.service
%systemd_preun unbound-keygen.service

%preun anchor
%systemd_preun unbound-anchor.service unbound-anchor.timer

%postun
%systemd_postun_with_restart unbound.service
%systemd_postun unbound-keygen.service

%postun anchor
%systemd_postun_with_restart unbound-anchor.service unbound-anchor.timer

%check
pushd %{dir_primary}
#pushd pythonmod
#make test
#popd

make check

popd

%if 0%{?python_secondary:1}
pushd %{dir_secondary}
#pushd pythonmod
#make test
#popd
make check
popd
%endif


%files
%doc doc/CREDITS doc/FEATURES
%{_unitdir}/%{name}.service
%{_unitdir}/%{name}-keygen.service
%attr(0755,unbound,unbound) %dir %{_rundir}/%{name}
%attr(0644,root,root) %{_tmpfilesdir}/unbound.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/keys.d/*.key
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/conf.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/conf.d/*.conf
%dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/local.d
%attr(0644,root,unbound) %config(noreplace) %{_sysconfdir}/%{name}/local.d/*.conf
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_control.key
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.pem
%ghost %attr(0640,root,unbound) %{_sysconfdir}/%{name}/unbound_server.key
%{_sbindir}/unbound
%{_sbindir}/unbound-checkconf
%{_sbindir}/unbound-control
%{_sbindir}/unbound-control-setup
%{_mandir}/man5/*
%exclude %{_mandir}/man8/unbound-anchor*
%{_mandir}/man8/*

%if 0%{with_python2}
%files -n python2-unbound
%license pythonmod/LICENSE
%{python2_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif

%if 0%{with_python3}
%files -n python3-unbound
%license pythonmod/LICENSE
%{python3_sitearch}/*
%doc libunbound/python/examples/*
%doc pythonmod/examples/*
%endif

%if 0%{with_munin}
%files munin
%doc unbound-munin.README
%config(noreplace) %{_sysconfdir}/munin/plugin-conf.d/unbound
%{_datadir}/munin/plugins/unbound*
%endif

%files devel
%{_libdir}/libunbound.so
%{_includedir}/unbound.h
%{_includedir}/unbound-event.h
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc

%files libs
%doc doc/README
%license doc/LICENSE
%attr(0755,root,root) %dir %{_sysconfdir}/%{name}
%{_sysusersdir}/%{name}.conf
%{_libdir}/libunbound.so.8*
%dir %attr(0755,unbound,unbound) %{_sharedstatedir}/%{name}
%config(noreplace) %verify(not link user group) %{_sharedstatedir}/%{name}/root.key
# just left for backwards compat with user changed unbound.conf files - format is different!
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/dnssec-root.key

%files anchor
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_sbindir}/unbound-anchor
%{_mandir}/man8/unbound-anchor*
# icannbundle and root.key(s) should be replaced from package
# intentionally not using noreplace
%config %{_sysconfdir}/%{name}/icannbundle.pem
%{_unitdir}/unbound-anchor.timer
%{_unitdir}/unbound-anchor.service

%files utils
%{_sbindir}/unbound-host
%{_sbindir}/unbound-streamtcp
%{_mandir}/man1/unbound-*

%changelog
## START: Generated by rpmautospec
* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-6
- Prevent executable bit on configuration files

* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-5
- Always regenerate config parser

* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-4
- Correct python3.12 warning

* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-3
- Use newer swig m4 configuration

* Mon Apr 15 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-2
- Harden autoconf re-generation

* Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-1
- Update to 1.19.3 (rhbz#2268404)
- Fix CVE-2024-1931, Denial of service when trimming EDE text on positive
  replies. (rhbz#2268419)
- Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672.
- Bug fixes

* Sat Mar 09 2024 Paul Wouters <paul.wouters@aiven.io> - 1.19.1-4
- Add spec file comment

* Fri Mar 01 2024 Paul Wouters <paul.wouters@aiven.io> - 1.19.1-3
- Fix trim of EDE text from large udp responses from spinning cpu.

* Tue Feb 13 2024 Petr Menšík <pemensik@redhat.com> - 1.19.1-2
- Ensure only unbound group members can make changes

* Tue Feb 13 2024 Paul Wouters <paul.wouters@aiven.io> - 1.19.1-1
- Update to 1.19.1 for CVE-2023-50387, CVE-2023-50868

* Mon Jan 29 2024 Petr Menšík <pemensik@redhat.com> - 1.19.0-8
- Always auto-restart on crash events

* Mon Jan 29 2024 Petr Menšík <pemensik@redhat.com> - 1.19.0-7
- Update address of b.root-servers.net (#2253461)

* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.19.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

* Thu Nov 02 2023 Petr Menšík <pemensik@redhat.com> - 1.19.0-1
- Update to 1.19.0 (#2248686)

* Wed Sep 06 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-2
- Skip failing tests on ELN builds

* Fri Sep 01 2023 Petr Menšík <pemensik@redhat.com> - 1.18.0-1
- Update to 1.18.0 (#2236097)

* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.17.1-3
- Rebuilt for Python 3.12

* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.17.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

* Fri Jan 13 2023 Paul Wouters <paul.wouters@aiven.io - 1.17.1-1
- Resolved rhbz#2160397 unbound-1.17.1 is available (bugfix release)
- Add support for building with redis

* Thu Dec 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-2
- Move unbound user creation to libs (#2149036)
- Use systemd-sysusers for user creation (#2105416)
- Keep original DNSSEC root key as config (#2132103)

* Tue Nov 01 2022 Petr Menšík <pemensik@redhat.com> - 1.17.0-1
- Update to 1.17.0 (#2134348)

* Wed Oct 05 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-3
- Correct issues made by unbound-anchor package split (#2110858)

* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-2
- Update License tag to SPDX identifier

* Fri Sep 23 2022 Petr Menšík <pemensik@redhat.com> - 1.16.3-1
- Update to 1.16.3 (#2128638)

* Tue Aug 09 2022 Paul Wouters <pwouters@redhat.com> - 1.16.2-3
- sync up to upstream unbound.conf
- Enable Extended DNS Error codes (RFC8914)

* Tue Aug 09 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-2
- Require openssl tool for unbound-keygen (#2116790)

* Wed Aug 03 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-1
- Update to 1.16.2 (#2105947) for CVE-2022-30698 and CVE-2022-30699

* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.16.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

* Mon Jun 27 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-6
- Move unbound-anchor to separate package
- Move unbound-host and unbound-streamtcp to unbound-utils package

* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.16.0-5
- Rebuilt for Python 3.11

* Tue Jun 07 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-4
- Restart keygen service before every unbound start

* Sat Jun 04 2022 Petr Menšík <pemensik@redhat.com> - 1.16.0-1
- Update to 1.16.0

* Tue Apr 26 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-3
- Stop creating wrong devel manual pages (#2078929)

* Wed Apr 20 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-2
- Update icannbundle.pem

* Tue Mar 29 2022 Petr Menšík <pemensik@redhat.com> - 1.15.0-1
- Update to 1.15.0 (#2030608)

* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-4
- Rebuilt for protobuf 3.19.0

* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.13.2-3
- Rebuilt for protobuf 3.18.1

* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.13.2-2
- Rebuilt with OpenSSL 3.0.0

* Thu Aug 12 2021 Paul Wouters <paul.wouters@aiven.io> - 1.13.2-1
- Resolves: rhbz#1992985 unbound-1.13.2 is available
- Use system-wide crypto policies

* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 1.13.1-7
- Rebuilt for Python 3.10

* Fri Apr 23 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-6
- Option --enable-linux-ip-local-port-range added to use system configured port range for libunbound on Linux
- Resolves: rhbz#1935101

* Tue Apr 13 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-5
- Fix unbound.service to use After=network-online.target

* Tue Apr 06 2021 Artem Egorenkov <aegorenk@redhat.com> - 1.13.1-4
- Don't start unbound-anchor before unbound service if DISABLE_UNBOUND_ANCHOR
  environment variable equals to "yes"

* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.13.1-3
- Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.

* Mon Feb 15 2021 Victor Stinner <vstinner@python.org> - 1.13.1-2
- Fix build on Python 3.10 (rhbz#1889726).

* Wed Feb 10 2021 Paul Wouters <pwouters@redhat.com> - 1.13.1-1
- Resolves rhbz#1860887 unbound-1.13.1 is available
- Fixup unbound.conf

* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Thu Dec 10 2020 Petr Menšík <pemensik@redhat.com> - 1.13.0-1
- Update to 1.13.0

* Tue Oct 13 2020 Petr Menšík <pemensik@redhat.com> - 1.12.0-1
- Update to 1.12.0 (#1860887)

* Tue Sep 15 2020 Petr Menšík <pemensik@redhat.com> - 1.10.1-5
- Move command line tools to utils subpackage

* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 1.10.1-3
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro

* Fri May 22 2020 Miro Hrončok <mhroncok@redhat.com> - 1.10.1-2
- Rebuilt for Python 3.9

* Tue May 19 2020 Paul Wouters <pwouters@redhat.com> - 1.10.1-1
- Resolves: rhbz#1837279 unbound-1.10.1 is available
- Resolves: rhbz#1837598 CVE-2020-12662 unbound: insufficient control of network message volume leads to DoS
- Resolves: rhbz#1837609 CVE-2020-12663 unbound: infinite loop via malformed DNS answers received from upstream servers
- Updated unbound.conf for new options in 1.10.1

* Wed Apr 29 2020 Paul Wouters <pwouters@redhat.com> - 1.10.0-3
- Resolves: rhbz#1667742 SELinux is preventing unbound from 'name_bind' accesses on the udp_socket port 61000.

* Thu Apr 16 2020 Artem Egorenkov <aegorenk@redhat.com> - 1.10.0-2
- Resolves: rhbz#1824536 unbound crash

* Thu Mar 19 2020 Petr Menšík <pemensik@redhat.com> - 1.10.0-1
- Update to 1.10.0 (#1805199)

* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Fri Dec 13 2019 Paul Wouters <pwouters@redhat.com> - 1.9.6-1
- Resolves: rhbz#1758107 unbound-1.9.5 is available
- Resolves: CVE-2019-18934

* Fri Nov 01 2019 Paul Wouters <pwouters@redhat.com> - 1.9.4-1
- Fix build on rhel/centos systems
- Resolves: rhbz#1767955 (CVE-2019-16866) uninitialized memory accesses leads to crash via a crafted NOTIFY query

* Thu Sep 26 2019 Petr Menšík <pihhan@gmail.com> - 1.9.3-2
- Obsolete no longer provided python2 subpackage (#1749400)

* Tue Aug 27 2019 Paul Wouters <pwouters@redhat.com> - 1.9.3-1
- Updated to 1.9.3
- Resolves: rhbz#1672578 unbound-1.9.2 is available
- Resolves: rhbz#1694831 [/usr/lib/tmpfiles.d/unbound.conf:1] Line references path below legacy directory /var/run/
- Resolves: rhbz# 1667387 [abrt] unbound: memmove(): unbound killed by SIGABRT

* Thu Aug 22 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-8
- Subpackage python2-unbound has been removed
  See https://fedoraproject.org/wiki/Changes/Mass_Python_2_Package_Removal

* Thu Aug 15 2019 Miro Hrončok <mhroncok@redhat.com> - 1.8.3-7
- Rebuilt for Python 3.8

* Mon Aug  5 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.8.3-6
- Drop install-time requirements on systemd (#1723777)

* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Fri Jan 11 2019 Paul Wouters <pwouters@redhat.com> - 1.8.3-3
- Remove KSK-2010 from configs - it has been revoked

* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-2
- Another dns64 fixup

* Wed Dec 12 2018 Paul Wouters <pwouters@redhat.com> - 1.8.3-1
- Updated to 1.8.3 with fixes the dns64 bug and has some other minor fixes

* Mon Dec 10 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-2
- Fix dns64 allocation in wrong region for returned internal queries.

* Tue Dec 04 2018 Paul Wouters <pwouters@redhat.com> - 1.8.2-1
- Updated to 1.8.2.
- Enabled deny ANY query support and edns-tcp-keepalive
- Set serve-stale timeout to 4h
- Updated unbound.conf for latest options

* Mon Oct 22 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-2
- Allow group by default to unbound-control (#1640259)

* Mon Oct 08 2018 Petr Menšík <pemensik@redhat.com> - 1.8.1-1
- Update to 1.8.1

* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-2
- Skip ipv6 forwarders without ipv6 support (#1633874)

* Wed Sep 19 2018 Petr Menšík <pemensik@redhat.com> - 1.8.0-1
- Rebase to 1.8.0

* Tue Aug 14 2018 Paul Wouters <pwouters@redhat.com> - 1.7.3-9
- Fix for restarting unbound service after deleting key/pem files for remote control

* Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
- Release memory in unbound-host

* Mon Jul 23 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-7
- Remove unused Group tag

* Wed Jul 18 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-6
- Cleanup generated client and server keys (#1601773)

* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.3-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Mon Jul 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-4
- Do not call ldconfig if possible

* Wed Jul 04 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-3
- Update trust anchors also behind firewall (#1598078)

* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.3-2
- Rebuilt for Python 3.7

* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-1
- Update to 1.7.3 (#1593708)

* Wed Jun 27 2018 Petr Menšík <pemensik@redhat.com> - 1.7.2-3
- Remove last python2 dependency from python3 build

* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.7.2-2
- Rebuilt for Python 3.7

* Mon Jun 11 2018 Paul Wouters <pwouters@redhat.com> - 1.7.2-1
- Resolves rhbz#1589807 unbound-1.7.2 is available
- Add patch to fix stub/forward zone not returning ServFail when TTL expires
- Enabled the new root-key-sentinel option

* Wed May 30 2018 Petr Menšík <pemensik@redhat.com> - 1.7.1-1
- Update to 1.7.1 (#1574495)

* Mon Apr 09 2018 Petr Menšík <pemensik@redhat.com> - 1.7.0-5
- Require gcc and make on build
- Remove group, simplify systemd requires
- Simplify building with single python version, make python3 primary

* Mon Apr 09 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-4
- Patch for prefetching after flushing cache

* Fri Apr 06 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-3
- Patch for referral with auth-zone: response


* Wed Mar 21 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-2
- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry

* Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1
- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)

* Thu Feb 22 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-6
- Uncomment again original max-upd-size

* Wed Feb 21 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-5
- Use default RPM build flags and configure parameters (#1539097)

* Wed Feb 21 2018 Petr Menšík <pemensik@redhat.com> - 1.6.8-4
- Remove group writable bit from some config files (#1528445)

* Wed Feb 14 2018 Filipe Rosset <rosset.filipe@gmail.com> - 1.6.8-3
- rebuilt due new libevent 2.1.8

* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.6.8-2
- Escape macros in %%changelog

* Mon Jan 22 2018 Paul Wouters <pwouters@redhat.com> - 1.6.8-1
- Resolves rhbz#1483572 unbound-1.6.8 is available
- Resolves rhbz#1507049 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records
- Resolves rhbz#1536518 CVE-2017-15105 unbound: Improper validation of wildcard synthesized NSEC records [fedora-all]

* Sun Dec 17 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.6.7-2
- Python 2 binary package renamed to python2-unbound
  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3

* Thu Oct 12 2017 Paul Wouters <pwouters@redhat.com> - 1.6.7-1
- Updated to 1.6.7 (minor bugfixes)

* Tue Oct 03 2017 Petr Menšík <pemensik@redhat.com> - 1.6.6-3
- Update icannbundle.pem

* Mon Oct 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-2
- Enable RFC 8145 Trust Anchor Signaling to help the root zone get keytag statistics

* Fri Sep 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.6-1
- Resolves: rhbz#1483572 unbound-1.6.6 is available
- Resolves: rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook (edit)

* Wed Aug 16 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-4
- Rebuilt with KSK2017 added to root.key and root.anchor
- Remove noreplace for root key files. We can only improve these files over local copies

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Sun Jul 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-1
- Updated to 1.6.4 full release, patch to allow missing ipsechook
- Resolves rhbz#1465575 unbound fails to start up, complains about missing ipsecmod-hook

* Thu Jun 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.4-0.rc2
- Update to 1.6.4 (esubnet, ipsecmod support, bugfixes)

* Tue Jun 13 2017 Paul Wouters <pwouters@redhat.com> - 1.6.3-1
- Updated to 1.6.3 (fixes assertion failure when receiving malformed packet with 0x20 enabled)

* Thu Jun 08 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-2
- Patch for cmd: unbound-control set_option val-permissive-mode: yes

* Wed Apr 26 2017 Paul Wouters <pwouters@redhat.com> - 1.6.2-1
- Update to 1.6.2 (rhbz#1425649)
- Updated unbound.conf with new options

* Wed Mar 22 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-6
- Call make unbound-event-install to install unbound-event.h

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Wed Jan 18 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-4
- Remove obsoleted DLV key

* Mon Jan 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-3
- Actually remove dependency because minimum is always satisfied

* Mon Jan 02 2017 Paul Wouters <pwouters@redhat.com> - 1.6.0-2
- Depend on openssl-libs, not opensl

* Wed Dec 21 2016 Kevin Fenzi <kevin@scrye.com> - 1.6.0-1
- Update to 1.6.0

* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 1.5.10-3
- Rebuild for Python 3.6

* Wed Oct 26 2016 Ilya Evseev <evseev.i@cdnnow.ru> - 1.5.10-2
- Bugfix building without python2 and python3
- Fixup streamtcp build (Paul)

* Tue Sep 27 2016 Paul Wouters <pwouters@redhat.com> - 1.5.10-1
- Updated to 1.5.10 (better TCP handling, bugfixes)
- Install pkgconfig file in -devel package
- Updated unbound.conf

* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.9-4
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages

* Thu Jul 07 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-3
- Fix upper port range to 60999 because that's what selinux allows

* Thu Jun 16 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-2
- Patch for allowing more queries before failure (needed for query minimalization)

* Mon Jun 13 2016 Paul Wouters <pwouters@redhat.com> - 1.5.9-1
- Updated to 1.5.9

* Thu Apr 21 2016 Toshio Kuratomi <toshio@fedoraproject.org> - 1.5.8-2
- Fix streamtcp to link against libpython3.x instead of libpython2.x

* Wed Mar 02 2016 Paul Wouters <pwouters@redhat.com> - 1.5.8-1
- Update to 1.5.8 (rhbz#1313831) which incorporates rhbz#1294339 patch
- Updated unbound.conf with new upstream options
- Enabled ip-transparent: yes (see rhbz#1291449)

* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Jan 21 2016 Tomas Hozza <thozza@redhat.com> - 1.5.7-2
- Fix escaping of shell chars in unbound-control-setup (#1294339)

* Fri Dec 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.7-1
- Update to 1.5.7
- Enable query minimalization for enhanced DNS query privacy
- Enable nxdomain hardening to assist with query minimalization and SBLs
- Updated default unbound.conf for new features from upstream.

* Fri Nov 13 2015 Tomas Hozza <thozza@redhat.com> - 1.5.6-1
- Update to 1.5.6 (#1176729)

* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.5.5-2
- Rebuilt for Python3.5 rebuild

* Wed Oct 07 2015 Tomas Hozza <thozza@redhat.com> - 1.5.5-1
- New upstream release 1.5.5 (#1269137)
- Removed the anchor update from %%post section of -libs subpackage (#1269137#c2)

* Tue Sep 15 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-5
- Removed dependency and ordering on unbound-anchor.service in unbound.service

* Thu Sep 03 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-4
- Prefer Python3 build over Python2 build for now (#1254566)

* Mon Jul 20 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-3
- Added ExecReload section to unbound.service (#1195785)
- Removed After syslog.target since it is not needed any more

* Thu Jul 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.4-2
- Start unbound-anchor.timer only on new installations
- Rename root.anchor to root.key in %%post section

* Tue Jul 14 2015 Paul Wouters <pwouters@redhat.com> - 1.5.4-1
- Update to 1.5.4
- Removed patches merged into upstream

* Tue Jun 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-8
- Revert: Use low maximum negative cache TTL (5 sec) (#1229596)

* Mon Jun 15 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-7
- Add option for maximum negative cache TTL (#1229599)
- Use low maximum negative cache TTL (5 sec) (#1229596)

* Tue May 26 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-6
- Removed usage of DLV from the default configuration (#1223363)

* Wed May 13 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-5
- unbound.service now Wants unbound-anchor.timer
- unbound-anchor man page moved to the unbound-libs

* Mon May 11 2015 Paul Wouters <pwouters@redhat.com> - 1.5.3-4
- Fixup scriptlets causing systemctl: command not found
- Resolves rhbz#1219587 Error in PREIN scriptlet in rpm package unbound-libs

* Mon Apr 27 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-3
- migrate cronjob to systemd timer unit (#1177285)
- change the period for unbound-anchor from monthly to daily (#1180267)
- Thanks to Tomasz Torcz <ttorcz@fedoraproject.org> for the initial patch

* Thu Apr 16 2015 Tomas Hozza <thozza@redhat.com> - 1.5.3-2
- Fix FTBFS (#1206129)
- Build python3-unbound and python-unbound bindings for Python 3 and 2 (#1188080)

* Mon Mar 16 2015 Paul Wouters <pwouters@redhat.com> - 1.5.3-1
- Updated to 1.5.3 which is a bugfix on 1.5.2 for sighup handling
- Updated to 1.5.2 which fixes DNSSEC validation with different
  trust anchors upstream, local-zone has a new keyword 'inform'

* Mon Feb 02 2015 Paul Wouters <pwouters@redhat.com> - 1.5.1-4
- Build with --enable-ecdsa

* Sun Feb 01 2015 Paul Wouters <pwouters@redhat.com> - 1.5.1-3
- Fix post to create root.anchor, not root.key, to match cron job

* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.5.1-2
- Change systemd-units to systemd
- Use _tmpfilesdir macro, don't mark tmpfiles as config

* Tue Dec 09 2014 Paul Wouters <pwouters@redhat.com> - 1.5.1-1
- Update to 1.5.1 for CVE-2014-8602 (rhbz#1172066)
- Removed unbound-aarch64.patch which was merged upstream
- Don't require autotools for non snapshots or run autoreconf

* Fri Nov 28 2014 Tomas Hozza <thozza@redhat.com> - 1.5.1-0.1.rc1
- update to 1.5.1rc1

* Fri Nov 28 2014 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 1.5.0-3
- fix build on aarch64

* Wed Nov 26 2014 Tomas Hozza <thozza@redhat.com> - 1.5.0-2
- Fix race condition in arc4random (#1166878)

* Wed Nov 19 2014 Tomas Hozza <thozza@redhat.com> - 1.5.0-1
- update to 1.5.0

* Wed Sep 24 2014 Pavel Å imerda <psimerda@redhat.com> - 1.4.22-6
- Resolves: #1115489 - build with python 3.x for fedora >= 22

* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 1.4.22-5
- Rebuild for rpm bug 1131960

* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.22-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.22-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Thu May 01 2014 Paul Wouters <pwouters@redhat.com> - 1.4.22-2
- Added flushcache patch (SVN commit 3125)

* Thu Mar 13 2014 Paul Wouters <pwouters@redhat.com> - 1.4.22-1
- Updated to 1.4.22
- No longer requires the ldns library

* Thu Jan 16 2014 Tomas Hozza <thozza@redhat.com> - 1.4.21-3
- Fix segfault on adding insecure forward zone when using only iterator (#1054192)

* Mon Oct 21 2013 Tomas Hozza <thozza@redhat.com> - 1.4.21-2
- run test suite during the build

* Thu Sep 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.21-1
- Updated to 1.4.21,
- Enabled new max-udp-size: 3072 (so ANY isc.org won't fit)
- Removed patched merged in by upstream
- Enable statistics-cumulative for munin-plugin
- Added outgoing-port-avoid: 0-32767 conformant to SElinux restrictions
- Updated unbound.conf

* Mon Aug 26 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-19
- Fix errors found by static analysis of source

* Mon Aug 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-18
- Change unbound.conf to only use ephemeral ports (32768-65535)

* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.20-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Mon Jul 22 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-16
- provide man page for unbound-streamtcp

* Mon Jul 08 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-15
- Re-introduce hardening flags for full relro and pie
- Fixes compilation failure for python module

* Wed Jul 03 2013 Tomas Hozza <thozza@redhat.com> - 1.4.20-14
- remove missing unbound-rootkey.service from post/preun/postun sections
- don't hardcode hardening flags, let hardened build macro handles it

* Sat Jun 01 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-13
- Run unbound-anchor as user unbound in unbound.service

* Tue May 28 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-12
- Enable round-robin (with noths() patch)
- Change cron and systemd service to use root.key, not root.anchor

* Sat May 25 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-10
- Use /var/lib/unbound/root.key (more consistent with other distros)
- Enable minimal responses

* Mon Apr 22 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-8
- Refix

* Fri Apr 19 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-7
- Fix runuser call in post.

* Tue Apr 16 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-6
- /var/lib/unbound should be owned by unbound. group write is not enough

* Fri Apr 12 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-5
- Fix cron job syntax (rhbz#951725)
- Use install -p to prevent .rpmnew files that are identical to originals

* Mon Apr 8 2013 Paul Wouters <pwouters@redhat.com> - 1.4.20-4
- Updated to 1.4.20
- Build with full RELRO (not use -z,relro but with -z,relo,-z,now)
- Fixup man page for unbound-control-setup
- unbound.service should start before nss-lookup.target (rhbz#919955)
- Removed patch for rhbz#888759 merged in upstream
- Move root.anchor to /var/lib/unbound to make selinux policy easier for updating (rhbz#896599/rhbz#891008)
- Move cronjob for root.anchor from unbound to unbound-libs, require crontabs
- /etc/unbound (and all) should be owned by unbound-libs (rhbz#909691)
- Remove Obsolete/Provides for dnssec-conf which was last seen in f13
- Ensure any unbound-anchor failure in post is ignored

* Tue Mar 05 2013 Adam Tkac <atkac redhat com> - 1.4.19-5
- build with full RELRO
- symlink unbound-control-setup.8 manpage to unbound-control.8

* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Wed Dec 12 2012 Paul Wouters <pwouters@redhat.com> - 1.4.19-3
- Updated to 1.4.19 - this integrates all existing patches
- Patch for unbound-anchor (rhbz#888759)

* Fri Nov 09 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-6
- Patch to ensure stube-zone's aren't lost when using dnssec-triggerd
- added unbound-munin.README file

* Wed Sep 26 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-5
- Patch to allow wildcards in include: statements
- Add directories /etc/unbound/keys.d,conf.d,local.d with
  example entries
- Added /etc/unbound/root.anchor, maintained by unbound-anchor
  which is installed as monthly cron and PreExec in systemd config
  (root.key is unused, but left installed in case people depend on it)
- Native systemd (simple) and /etc/sysconfig/unbound support
- Run unbound-checkconf in PreExec
- Moved trust anchor related files to unbound-libs, as they can
  be used without the daemon.
- sub packages now depends on base package of same arch
- Build munin package as noarch
- unbound-anchor moved to unbound-libs package. It is needed
  to update the root.anchor key file.

* Tue Sep 04 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-3
- Fix openssl thread locking bug under high query load

* Thu Aug 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-2
- Use new systemd-rpm macros (rhbz#850351)
- Clean up old obsoleted dnssec-conf from < fedora 15

* Fri Aug 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.18-1
- Updated to 1.4.18 (FIPS related fixes mostly)
- Removed patches that were merged in upstream
- Added comment to root.key

* Mon Jul 23 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-5
- Fix for unbound crasher (upstream bug #452)
- Support libunbound functions in man pages and place in -devel

* Sun Jul 22 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.17-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Tue Jul 03 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-3
- unbound FIPS patches for MD5,randomness (rhbz#835106)

* Fri Jun 15 2012 Adam Tkac <atkac redhat com> - 1.4.17-2
- don't build unbound-munin on RHEL

* Thu May 24 2012 Paul Wouters <pwouters@redhat.com> - 1.4.17-1
- Updated to 1.4.17 (which mostly brings in patches we already
  applied from svn trunk)

* Wed Feb 29 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-3
- Since the daemon links to the libs staticly, add Requires:
  (this is rhbz#745288)
- Package up streamtcp as unbound-streamtcp (for monitoring)

* Mon Feb 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.16-2
- Don't ghost the directory (rhbz#788805)
- Patch for unbound to support unbound-control forward_zone
  (needed for openswan in XAUTH mode)

* Thu Feb 02 2012 Paul Wouters <paul@nohats.ca> - 1.4.16-1
- Upgraded to 1.4.16, which was relesed due to the soname
  and some DNSSEC validation failures

* Wed Feb 01 2012 Paul Wouters <paul@nohats.ca> - 1.4.15-2
- Patch for SONAME version (libtool's -version-number vs -version-info)

* Fri Jan 27 2012 Paul Wouters <pwouters@redhat.com> - 1.4.15-1
- Upgraded to 1.4.15
- Updated unbound.conf to show how to configure listening on tls443

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Mon Dec 19 2011 Paul Wouters <paul@cypherpunks.ca> - 1.4.14-1
- Upgraded to 1.4.14 for CVE-2011-4528 / VU#209659
- SSL-wrapped query support for dnssec-trigger
- EDNS handling changes
- Removed integrated EDNS patches
- Disabled use-caps-for-id, GoDaddy domains now break on it
- Enabled new harden-below-nxdomain

* Thu Sep 15 2011 Paul Wouters <paul@xelerance.com> - 1.4.13-1
- Upgraded to 1.4.13
- Removed merged in pythonmod patch
- Added EDNS1480 patch to fix unbound on broken EDNS/UDP networks
- Fix python to go into sitearch instead of sitelib

* Wed Sep 14 2011 Tom Callaway <spot@fedoraproject.org> - 1.4.12-4
- convert to systemd, tmpfiles.d

* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-3
- Added pythonmod docs and examples

* Mon Aug 08 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-2
- Fix for python module load in the server (Tom Hendrikx)
- No longer enable --enable-debug as it causes degraded  performance
  under load.

* Mon Jul 18 2011 Paul Wouters <paul@xelerance.com> - 1.4.12-1
- Updated to 1.4.12

* Sun Jul 03 2011 Paul Wouters <paul@xelerance.com> - 1.4.11-1
- Updated to 1.4.11
- removed integrated CVE patch
- updated stock unbound.conf for new options introduced

* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.10-1
- Added ghost for /var/run/unbound (bz#656710)

* Mon Jun 06 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-3
- rebuilt

* Wed May 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-2
- Applied patch for CVE-2011-1922 DoS vulnerability

* Sun Mar 27 2011 Paul Wouters <paul@xelerance.com> - 1.4.9-1
- Updated to 1.4.9

* Sat Feb 12 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-2
- rebuilt

* Tue Jan 25 2011 Paul Wouters <paul@xelerance.com> - 1.4.8-1
- Updated to 1.4.8
- Enable root key for DNSSEC
- Fix unbound-munin to use proper file (could cause excessive logging)
- Build unbound-python per default
- Disable gost as Fedora/EPEL does not allow ECC and has mangled openssl

* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-4
- Revert last build - it was on the wrong branch

* Tue Oct 26 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-3
- Disable do-ipv6 per default - causes severe degradation on non-ipv6 machines
  (see comments in inbound.conf)

* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-2
- Bump release - forgot to upload the new tar ball.

* Tue Jun 15 2010 Paul Wouters <paul@xelerance.com> - 1.4.5-1
- Upgraded to 1.4.5

* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-2
- Added accidentally omitted svn patches to cvs

* Mon May 31 2010 Paul Wouters <paul@xelerance.com> - 1.4.4-1
- Upgraded to 1.4.4 with svn patches
- Obsolete dnssec-conf to ensure it is de-installed

* Thu Mar 11 2010 Paul Wouters <paul@xelerance.com> - 1.4.3-1
- Update to 1.4.3 that fixes 64bit crasher

* Tue Mar 09 2010 Paul Wouters <paul@xelerance.com> - 1.4.2-1
- Updated to 1.4.2
- Updated unbound.conf with new options
- Enabled pre-fetching DNSKEY records (DNSSEC speedup)
- Enabled re-fetching popular records before they expire
- Enabled logging of DNSSEC validation errors

* Mon Mar 01 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-5
- Overriding -D_GNU_SOURCE is no longer needed. This fixes DSO issues
  with pthreads

* Wed Feb 24 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-3
- Change make/configure lines to attempt to fix -lphtread linking issue

* Thu Feb 18 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-2
- Removed dependancy for dnssec-conf
- Added ISC DLV key (formerly in dnssec-conf)
- Fixup old DLV locations in unbound.conf file via %%post
- Fix parent child disagreement handling and no-ipv6 present [svn r1953]

* Tue Jan 05 2010 Paul Wouters <paul@xelerance.com> - 1.4.1-1
- Updated to 1.4.1
- Changed %%define to %%global

* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-2
- Bump version

* Thu Oct 08 2009 Paul Wouters <paul@xelerance.com> - 1.3.4-1
- Upgraded to 1.3.4. Security fix with validating NSEC3 records

* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.3.3-2
- rebuilt with new openssl

* Mon Aug 17 2009 Paul Wouters <paul@xelerance.com> - 1.3.3-1
- Updated to 1.3.3

* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-2
- Added missing glob patch to cvs
- Place python macros within the %%with_python check

* Sat Jun 20 2009 Paul Wouters <paul@xelerance.com> - 1.3.0-1
- Updated to 1.3.0
- Added unbound-python sub package. disabled for now
- Patch from svn to fix DLV lookups
- Patches from svn to detect wrong truncated response from BIND 9.6.1 with
  minimal-responses)
- Added Default-Start and Default-Stop to unbound.init
- Re-enabled --enable-sha2
- Re-enabled glob.patch

* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-7
- unbound-iterator.patch was not commited

* Wed May 20 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-6
- Fix for https://bugzilla.redhat.com/show_bug.cgi?id=499793

* Tue Mar 17 2009 Paul Wouters <paul@xelerance.com> - 1.2.1-5
- Use --nocheck to avoid giving an error on missing unbound-remote certs/keys

* Tue Mar 10 2009 Adam Tkac <atkac redhat com> - 1.2.1-4
- enable DNSSEC only if it is enabled in sysconfig/dnssec

* Mon Mar 09 2009 Adam Tkac <atkac redhat com> - 1.2.1-3
- add DNSSEC support to initscript and enabled it per default
- add requires dnssec-conf

* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild

* Tue Feb 10 2009 Paul Wouters <paul@xelerance.com - 1.2.1-1
- updated to 1.2.1

* Sun Jan 18 2009 Tomas Mraz <tmraz@redhat.com> - 1.2.0-2
- rebuild with new openssl

* Wed Jan 14 2009 Paul Wouters <paul@xelerance.com - 1.2.0-1
- Updated to 1.2.0
- Added dependancy on minimum SSL for CVE-2008-5077
- Added dependancy on bc for unbound-munin
- Added minimum requirement of libevent 1.4.5. Crashes with older versions
  (note: libevent is stale in EL-4 and not in EL-5, needs fixing there)
- Removed dependancy on selinux-policy (will get used when available)
- Enable options as per draft-wijngaards-dnsext-resolver-side-mitigation-00.txt
- Enable unwanted-reply-threshold to mitigate against a Kaminsky attack
- Enable val-clean-additional to drop addition unsigned data from signed
  response.
- Removed patches (got merged into upstream)

* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-7
- Modified scandir patch to silently fail when wildcard matches nothing
- Patch to allow unbound-checkconf to find empty wildcard matches

* Mon Jan  5 2009 Paul Wouters <paul@xelerance.com> - 1.1.1-6
- Added scandir patch for trusted-keys-file: option, which
  is used to load multiple dnssec keys in bind file format

* Mon Dec  8 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-4
- Added Requires: for selinux-policy >= 3.5.13-33 for proper SElinux rules.

* Mon Dec  1 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-3
- We did not own the /etc/unbound directory (#474020)
- Fixed cvs anomalies

* Fri Nov 28 2008 Adam Tkac <atkac redhat com> - 1.1.1-2
- removed all obsolete chroot related stuff
- label control certs after generation correctly

* Thu Nov 20 2008 Paul Wouters <paul@xelerance.com> - 1.1.1-1
- Updated to unbound 1.1.1 which fixes a crasher and
  addresses nlnetlabs bug #219

* Wed Nov 19 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-3
- Remove the chroot, obsoleted by SElinux
- Add additional munin plugin links supported by unbound plugin
- Move configuration directory from /var/lib/unbound to /etc/unbound
- Modified unbound.init and unbound.conf to account for chroot changes
- Updated unbound.conf with new available options
- Enabled dns-0x20 protection per default

* Wed Nov 19 2008 Adam Tkac <atkac redhat com> - 1.1.0-2
- unbound-1.1.0-log_open.patch
  - make sure log is opened before chroot call
  - tracked as http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=219
- removed /dev/log and /var/run/unbound and /etc/resolv.conf from
  chroot, not needed
- don't mount files in chroot, it causes problems during updates
- fixed typo in default config file

* Fri Nov 14 2008 Paul Wouters <paul@xelerance.com> - 1.1.0-1
- Updated to version 1.1.0
- Updated unbound.conf's statistics options and remote-control
  to work properly for munin
- Added unbound-munin package
- Generate unbound remote-control  key/certs on first startup
- Required ldns is now 1.4.0

* Wed Oct 22 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-5
- Only call ldconfig in -libs package
- Move configure into build section
- devel subpackage should only depend on libs subpackage

* Tue Oct 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-4
- Fix CFLAGS getting lost in build
- Don't enable interface-automatic:yes because that
  causes unbound to listen on 0.0.0.0 instead of 127.0.0.1

* Sun Oct 19 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-3
- Split off unbound-libs, make build verbose

* Thu Oct  9 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-2
- FSB compliance, chroot fixes, initscript fixes

* Thu Sep 11 2008 Paul Wouters <paul@xelerance.com> - 1.0.2-1
- Upgraded to 1.0.2

* Wed Jul 16 2008 Paul Wouters <paul@xelerance.com> - 1.0.1-1
- upgraded to new release

* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-2
- Build against ldns-1.3.0

* Wed May 21 2008 Paul Wouters <paul@xelerance.com> - 1.0.0-1
- Split of -devel package, fixed dependancies, make rpmlint happy

* Fri Apr 25 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.12
- Using parts from ports collection entry by Jaap Akkerhuis.
- Using Fedoraproject wiki guidelines.

* Wed Apr 23 2008 Wouter Wijngaards <wouter@nlnetlabs.nl> - 0.11
- Initial version.

## END: Generated by rpmautospec