unbound: add root zone file cache option

Add the possibility to use Unbound auto-zone: clause to fetch complete root, arpa, in-addr.arpa, and ip6.arpa zone files. This can speed up recursion when users access many ccTLD or connection logging hits many PTR. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2018-05-28 22:46:07 -04:00 · 2018-05-28 22:46:07 -04:00 · 36e1aa0892
commit 36e1aa0892
parent cdeefec73e
4 changed files with 53 additions and 9 deletions
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@ -225,6 +225,11 @@ config unbound
    Boolean. Skip all this UCI nonsense. Manually edit the
    configuration. Make changes to /etc/unbound/unbound.conf.

+  option prefetch_root '0'
+    Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
+    "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
+    servers using http or AXFR (gTLD are unfortunately not as public).
+
  option protocol 'mixed'
    Unbound can limit its protocol used for recursive queries.
    ip4_only - limit issues if you do not have native IPv6
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0
+UNBOUND_B_AUTH_ROOT=0

 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
@ -605,6 +606,45 @@ unbound_forward() {

 ##############################################################################

+unbound_auth_root() {
+  local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+  local httpserver="http://www.internic.net/domain/"
+  local authzones="root arpa in-addr.arpa ip6.arpa"
+  local server zone realzone
+  # Download or AXFR the root and arpa zones to reduce the work needed at
+  # top level of recursion. If your users will hit many ccTLD or you have
+  # tracking logs resolving many PTR, then this can speed things up.
+  # Total size of text in TMPFS could be about 5MB.
+
+
+  if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
+    for zone in $authzones ; do
+      if [ "$zone" = "root" ] ; then
+        realzone="."
+      else
+        realzone=$zone
+      fi
+
+
+      {
+        echo "auth-zone:"
+        echo "  name: \"$realzone\""
+        for server in $axfrservers ; do
+          echo "  master: \"$server\""
+        done
+        echo "  url: \"$httpserver$zone.zone\""
+        echo "  fallback-enabled: yes"
+        echo "  for-downstream: no"
+        echo "  for-upstream: yes"
+        echo "  zonefile: \"$zone.zone\""
+        echo
+      } >> $UNBOUND_CONFFILE
+    done
+  fi
+}
+
+##############################################################################
+
 unbound_conf() {
  local rt_mem rt_conn modulestring domain ifsubnet

@ -1086,6 +1126,7 @@ unbound_uci() {
  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
  config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
+  config_get_bool UNBOUND_B_AUTH_ROOT  "$cfg" prefetch_root 0
  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
@ -1181,7 +1222,7 @@ unbound_uci() {

 ##############################################################################

-_resolv_setup() {
+unbound_resolv_setup() {
  if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
    return
  fi
@ -1210,7 +1251,7 @@ _resolv_setup() {

 ##############################################################################

-_resolv_teardown() {
+unbound_resolv_teardown() {
  case $( cat /tmp/resolv.conf ) in
  *"generated by Unbound UCI"*)
    # our resolver file, reset to auto resolver file.
@ -1225,8 +1266,6 @@ _resolv_teardown() {
 unbound_start() {
  config_load unbound
  config_foreach unbound_uci unbound
-
-
  unbound_mkdir


@ -1245,19 +1284,18 @@ unbound_start() {


    unbound_forward
+    unbound_auth_root
    unbound_control
  fi


-  _resolv_setup
+  unbound_resolv_setup
 }

 ##############################################################################

 unbound_stop() {
-  _resolv_teardown
-
-
+  unbound_resolv_teardown
  rootzone_update
 }

--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@ -15,6 +15,7 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
+	option prefetch_root '0'
 	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'