Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #6145 from EricLuehrsen/unbound_defdoc

Browse source 
unbound: add root zone file cache option
This commit is contained in:
Hannu Nyman 2018-05-29 08:05:38 +03:00 committed by GitHub
commit d7ffa9ca0e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 120 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/unbound/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.7.1 PKG_VERSION:=1.7.1
PKG_RELEASE:=1 PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE

33
net/unbound/files/README.md
View file

@ -204,7 +204,7 @@ config unbound
into MTU issues. Use this size in bytes to manage drop outs. into MTU issues. Use this size in bytes to manage drop outs.
option extended_luci '0' option extended_luci '0'
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration. Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
option extended_stats '0' option extended_stats '0'
Boolean. extended statistics are printed from unbound-control. Boolean. extended statistics are printed from unbound-control.
@ -225,12 +225,18 @@ config unbound
Boolean. Skip all this UCI nonsense. Manually edit the Boolean. Skip all this UCI nonsense. Manually edit the
configuration. Make changes to /etc/unbound/unbound.conf. configuration. Make changes to /etc/unbound/unbound.conf.
option prefetch_root '0'
Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
"in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
servers using http or AXFR (gTLD are unfortunately not as public).
option protocol 'mixed' option protocol 'mixed'
Unbound can limit its protocol used for recursive queries. Unbound can limit its protocol used for recursive queries.
Set 'ip4_only' to avoid issues if you do not have native IP6. ip4_only - limit issues if you do not have native IPv6
Set 'ip6_prefer' to possibly improve performance as well as ip6_only - test environment only; could cauase problems
not consume NAT paths for the client computers. ip6_prefer - both IPv4 and IPv6 but try IPv6 first
Do not use 'ip6_only' unless testing. mixed - both IPv4 and IPv6
default - Unbound built-in defaults
option query_minimize '0' option query_minimize '0'
Boolean. Enable a minor privacy option. Don't let each server know Boolean. Enable a minor privacy option. Don't let each server know
@ -257,15 +263,18 @@ config unbound
3 - Plus DHCP-PD range passed down interfaces (not implemented) 3 - Plus DHCP-PD range passed down interfaces (not implemented)
option recursion 'passive' option recursion 'passive'
Unbound has numerous options for how it recurses. This UCI combines Unbound has many options for recrusion but UCI is bundled for simplicity.
them into "passive," "aggressive," or Unbound's own "default." passive - slower until cache fills but kind on CPU load
Passive is easy on resources, but slower until cache fills. default - Unbound built-in defaults
aggressive - uses prefetching to handle more requests quickly
option resource 'small' option resource 'small'
Unbound has numerous options for resources. This UCI gives "tiny," Unbound has many options for resources but UCI is bundled for simplicity.
"small," "medium," and "large." Medium is most like the compiled tiny - similar to published memory restricted configuration
defaults with a bit of balancing. Tiny is close to the published small - about half of medium
memory restricted configuration. Small 1/2 medium, and large 2x. medium - similar to default, but fixed for consistency
default - Unbound built-in defaults
large - about double of medium
option root_age '9' option root_age '9'
Days. >90 Disables. Age limit for Unbound root data like root Days. >90 Disables. Age limit for Unbound root data like root

134
net/unbound/files/unbound.sh
View file

@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1 UNBOUND_B_NTP_BOOT=1
UNBOUND_B_QUERY_MIN=0 UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0 UNBOUND_B_QRY_MINST=0
UNBOUND_B_AUTH_ROOT=0
UNBOUND_D_CONTROL=0 UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static UNBOUND_D_DOMAIN_TYPE=static
@ -449,7 +450,7 @@ unbound_mkdir() {
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "iterator will use built-in root hints" logger -t unbound -s "default root hints (built in rootservers.net)"
fi fi
fi fi
@ -463,7 +464,7 @@ unbound_mkdir() {
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "validator will use built-in trust anchor" logger -t unbound -s "default trust anchor (built in root DS record)"
fi fi
fi fi
@ -605,6 +606,45 @@ unbound_forward() {
############################################################################## ##############################################################################
unbound_auth_root() {
local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
local httpserver="http://www.internic.net/domain/"
local authzones="root arpa in-addr.arpa ip6.arpa"
local server zone realzone
# Download or AXFR the root and arpa zones to reduce the work needed at
# top level of recursion. If your users will hit many ccTLD or you have
# tracking logs resolving many PTR, then this can speed things up.
# Total size of text in TMPFS could be about 5MB.
if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
for zone in $authzones ; do
if [ "$zone" = "root" ] ; then
realzone="."
else
realzone=$zone
fi
{
echo "auth-zone:"
echo " name: \"$realzone\""
for server in $axfrservers ; do
echo " master: \"$server\""
done
echo " url: \"$httpserver$zone.zone\""
echo " fallback-enabled: yes"
echo " for-downstream: no"
echo " for-upstream: yes"
echo " zonefile: \"$zone.zone\""
echo
} >> $UNBOUND_CONFFILE
done
fi
}
##############################################################################
unbound_conf() { unbound_conf() {
local rt_mem rt_conn modulestring domain ifsubnet local rt_mem rt_conn modulestring domain ifsubnet
@ -616,9 +656,13 @@ unbound_conf() {
# Make fresh conf file # Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo echo
# No threading
echo "server:" echo "server:"
echo " username: unbound" echo " username: unbound"
echo " chroot: \"$UNBOUND_VARDIR\""
echo " directory: \"$UNBOUND_VARDIR\""
echo " pidfile: \"$UNBOUND_PIDFILE\""
echo
# No threading
echo " num-threads: 1" echo " num-threads: 1"
echo " msg-cache-slabs: 1" echo " msg-cache-slabs: 1"
echo " rrset-cache-slabs: 1" echo " rrset-cache-slabs: 1"
@ -632,6 +676,7 @@ unbound_conf() {
echo " outgoing-interface: ::0" echo " outgoing-interface: ::0"
echo echo
# Logging # Logging
echo " use-syslog: yes"
echo " verbosity: 1" echo " verbosity: 1"
echo " statistics-interval: 0" echo " statistics-interval: 0"
echo " statistics-cumulative: no" echo " statistics-cumulative: no"
@ -677,12 +722,18 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
;; ;;
*) mixed)
{ {
echo " do-ip4: yes" echo " do-ip4: yes"
echo " do-ip6: yes" echo " do-ip6: yes"
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
;; ;;
*)
if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "default protocol configuration"
fi
;;
esac esac
@ -708,15 +759,6 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
{
# Default Files
echo " use-syslog: yes"
echo " chroot: \"$UNBOUND_VARDIR\""
echo " directory: \"$UNBOUND_VARDIR\""
echo " pidfile: \"$UNBOUND_PIDFILE\""
} >> $UNBOUND_CONFFILE
if [ -f "$UNBOUND_HINTFILE" ] ; then if [ -f "$UNBOUND_HINTFILE" ] ; then
# Optional hints if found # Optional hints if found
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@ -764,7 +806,7 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "default memory resource consumption" logger -t unbound -s "default memory configuration"
fi fi
# Assembly of module-config: options is tricky; order matters # Assembly of module-config: options is tricky; order matters
@ -803,27 +845,26 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
{
# Some query privacy but "strict" will break some name servers
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
} >> $UNBOUND_CONFFILE
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
# Minor improvement on query privacy
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
else
echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
fi
case "$UNBOUND_D_RECURSION" in case "$UNBOUND_D_RECURSION" in
passive) passive)
{ {
echo " prefetch: no" # Some query privacy but "strict" will break some servers
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: no" echo " prefetch-key: no"
fi
# On demand fetching
echo " prefetch: no"
echo " target-fetch-policy: \"0 0 0 0 0\"" echo " target-fetch-policy: \"0 0 0 0 0\""
echo echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
@ -831,8 +872,23 @@ unbound_conf() {
aggressive) aggressive)
{ {
echo " prefetch: yes" # Some query privacy but "strict" will break some servers
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: yes" echo " prefetch-key: yes"
fi
# Prefetch what can be
echo " prefetch: yes"
echo " target-fetch-policy: \"3 2 1 0 0\"" echo " target-fetch-policy: \"3 2 1 0 0\""
echo echo
} >> $UNBOUND_CONFFILE } >> $UNBOUND_CONFFILE
@ -1070,6 +1126,7 @@ unbound_uci() {
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0 config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0 config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0 config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0 config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
@ -1165,7 +1222,7 @@ unbound_uci() {
############################################################################## ##############################################################################
_resolv_setup() { unbound_resolv_setup() {
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
return return
fi fi
@ -1194,7 +1251,7 @@ _resolv_setup() {
############################################################################## ##############################################################################
_resolv_teardown() { unbound_resolv_teardown() {
case $( cat /tmp/resolv.conf ) in case $( cat /tmp/resolv.conf ) in
*"generated by Unbound UCI"*) *"generated by Unbound UCI"*)
# our resolver file, reset to auto resolver file. # our resolver file, reset to auto resolver file.
@ -1209,8 +1266,6 @@ _resolv_teardown() {
unbound_start() { unbound_start() {
config_load unbound config_load unbound
config_foreach unbound_uci unbound config_foreach unbound_uci unbound
unbound_mkdir unbound_mkdir
@ -1229,19 +1284,18 @@ unbound_start() {
unbound_forward unbound_forward
unbound_auth_root
unbound_control unbound_control
fi fi
_resolv_setup unbound_resolv_setup
} }
############################################################################## ##############################################################################
unbound_stop() { unbound_stop() {
_resolv_teardown unbound_resolv_teardown
rootzone_update rootzone_update
} }

7
net/unbound/files/unbound.uci
View file

@ -15,13 +15,14 @@ config unbound
option listen_port '53' option listen_port '53'
option localservice '1' option localservice '1'
option manual_conf '0' option manual_conf '0'
option protocol 'mixed' option prefetch_root '0'
option protocol 'default'
option query_minimize '0' option query_minimize '0'
option query_min_strict '0' option query_min_strict '0'
option rebind_localhost '0' option rebind_localhost '0'
option rebind_protection '1' option rebind_protection '1'
option recursion 'passive' option recursion 'default'
option resource 'small' option resource 'default'
option root_age '9' option root_age '9'
option ttl_min '120' option ttl_min '120'
option unbound_control '0' option unbound_control '0'