Merge pull request #6707 from guidosarducci/master-fixup-stubby

stubby: some fixes, cleanup, and improvements

net/stubby/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=stubby
 PKG_VERSION:=0.2.3
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=COPYING
@@ -29,12 +29,6 @@ define Package/stubby/Default
 	URL:=https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
 endef
 
-define Package/stubby/description
-	This package contains the Stubby daemon (which utilizes the getdns library).
-
-	See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
-endef
-
 define Package/stubby
 	$(call Package/stubby/Default)
 	SECTION:=net
@@ -45,6 +39,16 @@ define Package/stubby
 	DEPENDS:= +libyaml +getdns +ca-certificates
 endef
 
+define Package/stubby/description
+	This package contains the Stubby daemon (which utilizes the getdns library).
+
+	See https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md for more details.
+endef
+
+define Package/stubby/conffiles
+/etc/stubby/stubby.yml
+endef
+
 define Package/stubby/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/stubby $(1)/usr/sbin/stubby
@@ -55,9 +59,4 @@ define Package/stubby/install
 	$(INSTALL_DATA) ./files/stubby.yml $(1)/etc/stubby/stubby.yml
 endef
 
-
-define Package/stubby/conffiles
-	/etc/stubby/stubby.yml
-endef
-
 $(eval $(call BuildPackage,stubby))

net/stubby/files/README.md

@@ -20,10 +20,10 @@ This package has some modifications that makes it differ from the default upstre
 ### General Cleanup
 Comments are removed, etc.
 
-### EDNS Client-Subnet Option Changed to 0
+### EDNS Client-Subnet Option
 The value of "edns_client_subnet_private" is '1' in the upstream default config. This informs the upstream resolver to NOT forward your connection's IP to any other upstream servers. This is good for privacy, but could result in sub-optimal routing to CDNs, etc.
 
-To give a more "comparable" DNS experience similar to google/opendns, this package disables this option.
+We retain the upstream value since privacy is a key user motivation for using DNS-over-TLS, but note users encountering poor routing may consider changing it.
 
 ### Default Listening Ports Changed
 The value of "listen_addresses" in the default config does not list port numbers, which will cause stubby to default to port 53. However, Openwrt defaults to dnsmasq as the main name server daemon, which runs on port 53. By setting the listening ports to non-standard values, this allows users to keep the main name server daemon in place (dnsmasq/unbound/etc.) and have that name server forward to stubby.

net/stubby/files/stubby.init

@@ -13,8 +13,6 @@ start_service() {
 
   procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
 
-  procd_set_param limits core="unlimited"
-
   procd_set_param file /etc/stubby/stubby.yml
 
   procd_set_param stdout 1

net/stubby/files/stubby.yml

@@ -9,7 +9,7 @@ tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
 
 tls_query_padding_blocksize: 128
 
-edns_client_subnet_private : 0
+edns_client_subnet_private : 1
 
 round_robin_upstreams: 0
 
@@ -24,6 +24,14 @@ upstream_recursive_servers:
 # # Cloudflare IPv6
   - address_data: 2606:4700:4700::1111
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
+  - address_data: 2606:4700:4700::1001
+    tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 
 # # Quad 9 IPv6
 #  - address_data: 2620:fe::10
@@ -33,6 +41,14 @@ upstream_recursive_servers:
 # # Cloudflare servers
   - address_data: 1.1.1.1
     tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
+  - address_data: 1.0.0.1
+    tls_auth_name: "cloudflare-dns.com"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
 
 # Quad 9 service
 #  - address_data: 9.9.9.10