Merge pull request #6147 from EricLuehrsen/openwrt-18.06

[openwrt-18.06] unbound: provide transparent defaults with documentation

net/unbound/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

net/unbound/files/README.md

@@ -204,7 +204,7 @@ config unbound
     into MTU issues. Use this size in bytes to manage drop outs.
 
   option extended_luci '0'
-    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+    Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
 
   option extended_stats '0'
     Boolean. extended statistics are printed from unbound-control.
@@ -227,10 +227,11 @@ config unbound
 
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
-    Set 'ip4_only' to avoid issues if you do not have native IP6.
-    Set 'ip6_prefer' to possibly improve performance as well as
-    not consume NAT paths for the client computers.
-    Do not use 'ip6_only' unless testing.
+    ip4_only - limit issues if you do not have native IPv6
+    ip6_only - test environment only; could cauase problems
+    ip6_prefer - both IPv4 and IPv6 but try IPv6 first
+    mixed - both IPv4 and IPv6
+    default - Unbound built-in defaults
 
   option query_minimize '0'
     Boolean. Enable a minor privacy option. Don't let each server know
@@ -257,15 +258,18 @@ config unbound
     3 - Plus DHCP-PD range passed down interfaces (not implemented)
 
   option recursion 'passive'
-    Unbound has numerous options for how it recurses. This UCI combines
-    them into "passive," "aggressive," or Unbound's own "default."
-    Passive is easy on resources, but slower until cache fills.
+    Unbound has many options for recrusion but UCI is bundled for simplicity.
+    passive - slower until cache fills but kind on CPU load
+    default - Unbound built-in defaults
+    aggressive - uses prefetching to handle more requests quickly
 
   option resource 'small'
-    Unbound has numerous options for resources. This UCI gives "tiny,"
-    "small," "medium," and "large." Medium is most like the compiled
-    defaults with a bit of balancing. Tiny is close to the published
-    memory restricted configuration. Small 1/2 medium, and large 2x.
+    Unbound has many options for resources but UCI is bundled for simplicity.
+    tiny - similar to published memory restricted configuration
+    small - about half of medium
+    medium - similar to default, but fixed for consistency
+    default - Unbound built-in defaults
+    large - about double of medium
 
   option root_age '9'
     Days. >90 Disables. Age limit for Unbound root data like root

net/unbound/files/unbound.sh

@@ -449,7 +449,7 @@ unbound_mkdir() {
       cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
     fi
   fi
 
@@ -463,7 +463,7 @@ unbound_mkdir() {
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
     fi
   fi
 
@@ -616,9 +616,13 @@ unbound_conf() {
     # Make fresh conf file
     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
     echo
-    # No threading
     echo "server:"
     echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
     echo "  num-threads: 1"
     echo "  msg-cache-slabs: 1"
     echo "  rrset-cache-slabs: 1"
@@ -632,6 +636,7 @@ unbound_conf() {
     echo "  outgoing-interface: ::0"
     echo
     # Logging
+    echo "  use-syslog: yes"
     echo "  verbosity: 1"
     echo "  statistics-interval: 0"
     echo "  statistics-cumulative: no"
@@ -677,12 +682,18 @@ unbound_conf() {
       } >> $UNBOUND_CONFFILE
       ;;
 
-    *)
+    mixed)
       {
         echo "  do-ip4: yes"
         echo "  do-ip6: yes"
       } >> $UNBOUND_CONFFILE
       ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
   esac
 
 
@@ -708,15 +719,6 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
   if [ -f "$UNBOUND_HINTFILE" ] ; then
     # Optional hints if found
     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +766,7 @@ unbound_conf() {
     } >> $UNBOUND_CONFFILE
 
   elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
   fi
 
   # Assembly of module-config: options is tricky; order matters
@@ -803,27 +805,26 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
   case "$UNBOUND_D_RECURSION" in
     passive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: no"
+        fi
+        # On demand fetching
         echo "  prefetch: no"
-        echo "  prefetch-key: no"
         echo "  target-fetch-policy: \"0 0 0 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -831,8 +832,23 @@ unbound_conf() {
 
     aggressive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
         echo "  prefetch: yes"
-        echo "  prefetch-key: yes"
         echo "  target-fetch-policy: \"3 2 1 0 0\""
         echo
       } >> $UNBOUND_CONFFILE

net/unbound/files/unbound.uci

@@ -15,13 +15,13 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
-	option protocol 'mixed'
+	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
-	option recursion 'passive'
-	option resource 'small'
+	option recursion 'default'
+	option resource 'default'
 	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'