unbound (1.11.0-1) unstable; urgency=medium

  The default Debian config file shipped in the unbound package has changed
  from using the "include:" directive to using the "include-toplevel:"
  directive in order to include the config file fragments in
  /etc/unbound/unbound.conf.d/*.conf into the unbound configuration.

  The "include-toplevel:" directive has been newly introduced in unbound
  1.11.0 and it requires that any included config file fragment begin its own
  clause (e.g., "server:").

  The existing "include:" directive that was used in previous Debian releases
  of the unbound package only performed textual inclusion, and it was possible
  to construct a set of config file fragments that depended on the presence or
  ordering of specific config file fragments in order to parse correctly. For
  instance, a config file fragment could have specified an option that can
  only appear in the "server:" clause, and rely on a previously included
  config file fragment to begin that clause. This behavior is no longer
  allowed by the use of the "include-toplevel:" directive because it is not
  robust against config file fragments being added, removed, or reordered.

  If you are upgrading the unbound package and you have installed any config
  file fragments into /etc/unbound/unbound.conf.d/ you should check that each
  config file fragment begins its own clause (e.g., "server:") and update each
  config file fragment as necessary to be compatible with the behavior of the
  "include-toplevel:" directive.

  If needed, the previous behavior can be restored by changing the following
  line in /etc/unbound/unbound.conf:

      include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"

  to its previous setting:

      include: "/etc/unbound/unbound.conf.d/*.conf"

 -- Robert Edmonds <edmonds@debian.org>  Sun, 09 Aug 2020 19:39:01 -0400

unbound (1.5.7-2) unstable; urgency=medium

  The unbound package no longer ships an /etc/default/unbound conffile.
  If modified, it will be renamed to /etc/default/unbound.dpkg-bak after
  upgrading.

  The /etc/default/unbound file, if it exists, will still be read and the
  behavior of the package can be modified, but the defaults have been changed
  to make it unnecessary for most users to need an /etc/default/unbound
  file.

  The following variables are still supported by the /etc/default/unbound
  file, if it exists:

    DAEMON_OPTS

      If set, the value of this variable will be appended to the daemon
      command-line.

    RESOLVCONF

      This variable now must be explicitly set to "false" to disable the
      unbound package's resolvconf provider. Otherwise, it defaults to
      enabled if unset.

      In previous versions, this variable had to be explicitly set to "true"
      to enable the resolvconf provider, but the /etc/default/unbound file
      shipped with it explicitly enabled.

    ROOT_TRUST_ANCHOR_FILE

      This variable can be explicitly set to override the path used by the
      root trust anchor update mechanism for the root trust anchor. Otherwise,
      it defaults to /var/lib/unbound/root.key if unset.

    ROOT_TRUST_ANCHOR_UPDATE

      This variable now must be explicitly set to "false" to disable the root
      trust anchor update mechanism. Otherwise, it defaults to enabled if
      unset.

      In previous versions, this variable had to be explicitly set to "true"
      to enable the update mechanism, but the /etc/default/unbound file
      shipped with it explicitly enabled.

  The following variables are no longer supported by the /etc/default/unbound
  file, but were present in previous versions:

    UNBOUND_ENABLE

      This variable controlled whether or not the init script would start the
      Unbound daemon. Instead, use the standard Debian mechanisms for enabling
      or disabling a service started by the init system.

    RESOLVCONF_FORWARDERS

      This variable controlled whether or not the upstream nameservers
      supplied by resolvconf were configured into the running Unbound instance
      with the "unbound-control forward" command, via a resolvconf update.d
      hook.

      This mechanism still exists, but the variable controlling it has been
      removed. Instead, add or remove the executable bit from the
      /etc/resolvconf/update.d/unbound file to enable or disable the hook.

  This release also makes the following changes:

    The resolvconf update.d hook can be problematic, especially if the
    upstream nameservers do not perform DNSSEC validation, or if a
    "forward-zone" declaration for the root zone has been statically
    configured by the administrator. In previous versions, the hook was
    enabled by default, but it is now disabled by default. It can be
    explicitly enabled by running "chmod +x /etc/resolvconf/update.d/unbound".

    The unbound package now depends on the dns-root-data package, and the root
    trust anchor update mechanism has been enhanced to import the root trust
    anchor from /usr/share/dns/root.key on new installations, or if the
    /usr/share/dns/root.key file is newer than /var/lib/unbound/root.key.

 -- Robert Edmonds <edmonds@debian.org>  Sun, 21 Feb 2016 16:01:33 -0500