Revert "update unbound to 1.19.0"

This reverts commit 0dbc58a38eb54787fce06c7dcfbba650fa16ca84.

unbound.conf

@@ -161,8 +161,10 @@ server:
 	# edns-buffer-size: 1232
 
 	# Maximum UDP response size (not applied to TCP response).
-	# Suggested values are 512 to 4096. Default is 1232. 65536 disables it.
+	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
-	# max-udp-size: 1232
+	# 3072 causes +dnssec any isc.org queries to need TC=1.
+	# Helps mitigating DDOS
+	max-udp-size: 3072
 
 	# max memory to use for stream(tcp and tls) waiting result buffers.
 	# stream-wait-size: 4m
@@ -261,18 +263,6 @@ server:
 	# Enable IPv6, "yes" or "no".
 	# do-ip6: yes
 
-	# If running unbound on an IPv6-only host, domains that only have
-	# IPv4 servers would become unresolveable.  If NAT64 is available in
-	# the network, unbound can use NAT64 to reach these servers with
-	# the following option.  This is NOT needed for enabling DNS64 on a
-	# system that has IPv4 connectivity.
-	# Consider also enabling prefer-ip6 to prefer native IPv6 connections
-	# to nameservers.
-	# do-nat64: no
-
-	# NAT64 prefix.  Defaults to using dns64-prefix value.
-	# nat64-prefix: 64:ff9b::0/96
-
 	# Enable UDP, "yes" or "no".
 	# NOTE: if setting up an Unbound on tls443 for public use, you might want to
 	# disable UDP to avoid being used in DNS amplification attacks.
@@ -306,10 +296,6 @@ server:
 	# Timeout for EDNS TCP keepalive, in msec.
 	# edns-tcp-keepalive-timeout: 120000
 
-	# UDP queries that have waited in the socket buffer for a long time
-	# can be dropped. Default is 0, disabled. In seconds, such as 3.
-	# sock-queue-timeout: 0
-
 	# Fedora note: do not activate this - not compiled in because
 	# it causes frequent unbound crashes. Also, socket activation
 	# is bad when you have things like dnsmasq also running with libvirt.
@@ -543,10 +529,6 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
-	# Harden against unknown records in the authority section and the
-	# additional section.
-	# harden-unknown-additional: no
-
 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to A when possible.
@@ -860,8 +842,6 @@ server:
 	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
 	#   always_deny resolve in that way but ignore local data for
 	#   that name
-	# o block_a resolves all records normally but returns
-	#   NODATA for A queries and ignores local data for that name
 	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
 	# o noview breaks out of that view towards global local-zones.
 	#
@@ -1285,10 +1265,6 @@ auth-zone:
 #     redis-server-host: 127.0.0.1
 #     # redis server's TCP port
 #     redis-server-port: 6379
-#     # if the server uses a unix socket, set its path, or "" when not used.
-#     # redis-server-path: "/var/lib/redis/redis-server.sock"
-#     # if the server uses an AUTH password, specify here, or "" when not used.
-#     # redis-server-password: ""
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
 #     # set timeout on redis records based on DNS response TTL

unbound.spec

@@ -1,7 +1,7 @@
 %{!?delete_la: %global delete_la  find $RPM_BUILD_ROOT -type f -name "*.la" -delete}
 
 Name:          unbound
-Version:       1.19.0
+Version:       1.17.1
 Release:       1
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD-3-Clause
@@ -234,12 +234,6 @@ popd
 %{_mandir}/man*
 
 %changelog
-* Tue Dec 26 2023 gaihuiying <eaglegai@163.com> - 1.19.0-1
-- Type:requirement
-- CVE:NA
-- SUG:NA
-- DESC:update to 1.19.0
-
 * Tue Mar 07 2023 gaihuiying <eaglegai@163.com> - 1.17.1-1
 - Type:requirement
 - CVE:NA