unbound: provide transparent defaults with documentation

Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

net/unbound/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

net/unbound/files/README.md

@@ -204,7 +204,7 @@ config unbound
     into MTU issues. Use this size in bytes to manage drop outs.
 
   option extended_luci '0'
-    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+    Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
 
   option extended_stats '0'
     Boolean. extended statistics are printed from unbound-control.
@@ -227,10 +227,11 @@ config unbound
 
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
-    Set 'ip4_only' to avoid issues if you do not have native IP6.
+    ip4_only - limit issues if you do not have native IPv6
-    Set 'ip6_prefer' to possibly improve performance as well as
+    ip6_only - test environment only; could cauase problems
-    not consume NAT paths for the client computers.
+    ip6_prefer - both IPv4 and IPv6 but try IPv6 first
-    Do not use 'ip6_only' unless testing.
+    mixed - both IPv4 and IPv6
+    default - Unbound built-in defaults
 
   option query_minimize '0'
     Boolean. Enable a minor privacy option. Don't let each server know
@@ -257,15 +258,18 @@ config unbound
     3 - Plus DHCP-PD range passed down interfaces (not implemented)
 
   option recursion 'passive'
-    Unbound has numerous options for how it recurses. This UCI combines
+    Unbound has many options for recrusion but UCI is bundled for simplicity.
-    them into "passive," "aggressive," or Unbound's own "default."
+    passive - slower until cache fills but kind on CPU load
-    Passive is easy on resources, but slower until cache fills.
+    default - Unbound built-in defaults
+    aggressive - uses prefetching to handle more requests quickly
 
   option resource 'small'
-    Unbound has numerous options for resources. This UCI gives "tiny,"
+    Unbound has many options for resources but UCI is bundled for simplicity.
-    "small," "medium," and "large." Medium is most like the compiled
+    tiny - similar to published memory restricted configuration
-    defaults with a bit of balancing. Tiny is close to the published
+    small - about half of medium
-    memory restricted configuration. Small 1/2 medium, and large 2x.
+    medium - similar to default, but fixed for consistency
+    default - Unbound built-in defaults
+    large - about double of medium
 
   option root_age '9'
     Days. >90 Disables. Age limit for Unbound root data like root

net/unbound/files/unbound.sh

@@ -449,7 +449,7 @@ unbound_mkdir() {
       cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
     fi
   fi
 
@@ -463,7 +463,7 @@ unbound_mkdir() {
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
     fi
   fi
 
@@ -616,9 +616,13 @@ unbound_conf() {
     # Make fresh conf file
     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
     echo
-    # No threading
     echo "server:"
     echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
     echo "  num-threads: 1"
     echo "  msg-cache-slabs: 1"
     echo "  rrset-cache-slabs: 1"
@@ -632,6 +636,7 @@ unbound_conf() {
     echo "  outgoing-interface: ::0"
     echo
     # Logging
+    echo "  use-syslog: yes"
     echo "  verbosity: 1"
     echo "  statistics-interval: 0"
     echo "  statistics-cumulative: no"
@@ -677,12 +682,18 @@ unbound_conf() {
       } >> $UNBOUND_CONFFILE
       ;;
 
-    *)
+    mixed)
       {
         echo "  do-ip4: yes"
         echo "  do-ip6: yes"
       } >> $UNBOUND_CONFFILE
       ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
   esac
 
 
@@ -708,15 +719,6 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
   if [ -f "$UNBOUND_HINTFILE" ] ; then
     # Optional hints if found
     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +766,7 @@ unbound_conf() {
     } >> $UNBOUND_CONFFILE
 
   elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
   fi
 
   # Assembly of module-config: options is tricky; order matters
@@ -803,27 +805,26 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
   case "$UNBOUND_D_RECURSION" in
     passive)
       {
-        echo "  prefetch: no"
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
           echo "  prefetch-key: no"
+        fi
+        # On demand fetching
+        echo "  prefetch: no"
         echo "  target-fetch-policy: \"0 0 0 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -831,8 +832,23 @@ unbound_conf() {
 
     aggressive)
       {
-        echo "  prefetch: yes"
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
           echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
+        echo "  prefetch: yes"
         echo "  target-fetch-policy: \"3 2 1 0 0\""
         echo
       } >> $UNBOUND_CONFFILE

net/unbound/files/unbound.uci

@@ -15,13 +15,13 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
-	option protocol 'mixed'
+	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
-	option recursion 'passive'
+	option recursion 'default'
-	option resource 'small'
+	option resource 'default'
 	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'