Merge pull request #6145 from EricLuehrsen/unbound_defdoc
unbound: add root zone file cache option
This commit is contained in:
commit
d7ffa9ca0e
4 changed files with 120 additions and 56 deletions
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=unbound
|
PKG_NAME:=unbound
|
||||||
PKG_VERSION:=1.7.1
|
PKG_VERSION:=1.7.1
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=3
|
||||||
|
|
||||||
PKG_LICENSE:=BSD-3-Clause
|
PKG_LICENSE:=BSD-3-Clause
|
||||||
PKG_LICENSE_FILES:=LICENSE
|
PKG_LICENSE_FILES:=LICENSE
|
||||||
|
|
|
@ -204,7 +204,7 @@ config unbound
|
||||||
into MTU issues. Use this size in bytes to manage drop outs.
|
into MTU issues. Use this size in bytes to manage drop outs.
|
||||||
|
|
||||||
option extended_luci '0'
|
option extended_luci '0'
|
||||||
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
|
Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
|
||||||
|
|
||||||
option extended_stats '0'
|
option extended_stats '0'
|
||||||
Boolean. extended statistics are printed from unbound-control.
|
Boolean. extended statistics are printed from unbound-control.
|
||||||
|
@ -225,12 +225,18 @@ config unbound
|
||||||
Boolean. Skip all this UCI nonsense. Manually edit the
|
Boolean. Skip all this UCI nonsense. Manually edit the
|
||||||
configuration. Make changes to /etc/unbound/unbound.conf.
|
configuration. Make changes to /etc/unbound/unbound.conf.
|
||||||
|
|
||||||
|
option prefetch_root '0'
|
||||||
|
Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
|
||||||
|
"in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
|
||||||
|
servers using http or AXFR (gTLD are unfortunately not as public).
|
||||||
|
|
||||||
option protocol 'mixed'
|
option protocol 'mixed'
|
||||||
Unbound can limit its protocol used for recursive queries.
|
Unbound can limit its protocol used for recursive queries.
|
||||||
Set 'ip4_only' to avoid issues if you do not have native IP6.
|
ip4_only - limit issues if you do not have native IPv6
|
||||||
Set 'ip6_prefer' to possibly improve performance as well as
|
ip6_only - test environment only; could cauase problems
|
||||||
not consume NAT paths for the client computers.
|
ip6_prefer - both IPv4 and IPv6 but try IPv6 first
|
||||||
Do not use 'ip6_only' unless testing.
|
mixed - both IPv4 and IPv6
|
||||||
|
default - Unbound built-in defaults
|
||||||
|
|
||||||
option query_minimize '0'
|
option query_minimize '0'
|
||||||
Boolean. Enable a minor privacy option. Don't let each server know
|
Boolean. Enable a minor privacy option. Don't let each server know
|
||||||
|
@ -257,15 +263,18 @@ config unbound
|
||||||
3 - Plus DHCP-PD range passed down interfaces (not implemented)
|
3 - Plus DHCP-PD range passed down interfaces (not implemented)
|
||||||
|
|
||||||
option recursion 'passive'
|
option recursion 'passive'
|
||||||
Unbound has numerous options for how it recurses. This UCI combines
|
Unbound has many options for recrusion but UCI is bundled for simplicity.
|
||||||
them into "passive," "aggressive," or Unbound's own "default."
|
passive - slower until cache fills but kind on CPU load
|
||||||
Passive is easy on resources, but slower until cache fills.
|
default - Unbound built-in defaults
|
||||||
|
aggressive - uses prefetching to handle more requests quickly
|
||||||
|
|
||||||
option resource 'small'
|
option resource 'small'
|
||||||
Unbound has numerous options for resources. This UCI gives "tiny,"
|
Unbound has many options for resources but UCI is bundled for simplicity.
|
||||||
"small," "medium," and "large." Medium is most like the compiled
|
tiny - similar to published memory restricted configuration
|
||||||
defaults with a bit of balancing. Tiny is close to the published
|
small - about half of medium
|
||||||
memory restricted configuration. Small 1/2 medium, and large 2x.
|
medium - similar to default, but fixed for consistency
|
||||||
|
default - Unbound built-in defaults
|
||||||
|
large - about double of medium
|
||||||
|
|
||||||
option root_age '9'
|
option root_age '9'
|
||||||
Days. >90 Disables. Age limit for Unbound root data like root
|
Days. >90 Disables. Age limit for Unbound root data like root
|
||||||
|
|
|
@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
|
||||||
UNBOUND_B_NTP_BOOT=1
|
UNBOUND_B_NTP_BOOT=1
|
||||||
UNBOUND_B_QUERY_MIN=0
|
UNBOUND_B_QUERY_MIN=0
|
||||||
UNBOUND_B_QRY_MINST=0
|
UNBOUND_B_QRY_MINST=0
|
||||||
|
UNBOUND_B_AUTH_ROOT=0
|
||||||
|
|
||||||
UNBOUND_D_CONTROL=0
|
UNBOUND_D_CONTROL=0
|
||||||
UNBOUND_D_DOMAIN_TYPE=static
|
UNBOUND_D_DOMAIN_TYPE=static
|
||||||
|
@ -449,7 +450,7 @@ unbound_mkdir() {
|
||||||
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
|
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
|
||||||
|
|
||||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||||
logger -t unbound -s "iterator will use built-in root hints"
|
logger -t unbound -s "default root hints (built in rootservers.net)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -463,7 +464,7 @@ unbound_mkdir() {
|
||||||
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
|
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
|
||||||
|
|
||||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||||
logger -t unbound -s "validator will use built-in trust anchor"
|
logger -t unbound -s "default trust anchor (built in root DS record)"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -605,6 +606,45 @@ unbound_forward() {
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
|
unbound_auth_root() {
|
||||||
|
local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
|
||||||
|
local httpserver="http://www.internic.net/domain/"
|
||||||
|
local authzones="root arpa in-addr.arpa ip6.arpa"
|
||||||
|
local server zone realzone
|
||||||
|
# Download or AXFR the root and arpa zones to reduce the work needed at
|
||||||
|
# top level of recursion. If your users will hit many ccTLD or you have
|
||||||
|
# tracking logs resolving many PTR, then this can speed things up.
|
||||||
|
# Total size of text in TMPFS could be about 5MB.
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
|
||||||
|
for zone in $authzones ; do
|
||||||
|
if [ "$zone" = "root" ] ; then
|
||||||
|
realzone="."
|
||||||
|
else
|
||||||
|
realzone=$zone
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
{
|
||||||
|
echo "auth-zone:"
|
||||||
|
echo " name: \"$realzone\""
|
||||||
|
for server in $axfrservers ; do
|
||||||
|
echo " master: \"$server\""
|
||||||
|
done
|
||||||
|
echo " url: \"$httpserver$zone.zone\""
|
||||||
|
echo " fallback-enabled: yes"
|
||||||
|
echo " for-downstream: no"
|
||||||
|
echo " for-upstream: yes"
|
||||||
|
echo " zonefile: \"$zone.zone\""
|
||||||
|
echo
|
||||||
|
} >> $UNBOUND_CONFFILE
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
unbound_conf() {
|
unbound_conf() {
|
||||||
local rt_mem rt_conn modulestring domain ifsubnet
|
local rt_mem rt_conn modulestring domain ifsubnet
|
||||||
|
|
||||||
|
@ -616,9 +656,13 @@ unbound_conf() {
|
||||||
# Make fresh conf file
|
# Make fresh conf file
|
||||||
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
|
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
|
||||||
echo
|
echo
|
||||||
# No threading
|
|
||||||
echo "server:"
|
echo "server:"
|
||||||
echo " username: unbound"
|
echo " username: unbound"
|
||||||
|
echo " chroot: \"$UNBOUND_VARDIR\""
|
||||||
|
echo " directory: \"$UNBOUND_VARDIR\""
|
||||||
|
echo " pidfile: \"$UNBOUND_PIDFILE\""
|
||||||
|
echo
|
||||||
|
# No threading
|
||||||
echo " num-threads: 1"
|
echo " num-threads: 1"
|
||||||
echo " msg-cache-slabs: 1"
|
echo " msg-cache-slabs: 1"
|
||||||
echo " rrset-cache-slabs: 1"
|
echo " rrset-cache-slabs: 1"
|
||||||
|
@ -632,6 +676,7 @@ unbound_conf() {
|
||||||
echo " outgoing-interface: ::0"
|
echo " outgoing-interface: ::0"
|
||||||
echo
|
echo
|
||||||
# Logging
|
# Logging
|
||||||
|
echo " use-syslog: yes"
|
||||||
echo " verbosity: 1"
|
echo " verbosity: 1"
|
||||||
echo " statistics-interval: 0"
|
echo " statistics-interval: 0"
|
||||||
echo " statistics-cumulative: no"
|
echo " statistics-cumulative: no"
|
||||||
|
@ -677,12 +722,18 @@ unbound_conf() {
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
;;
|
;;
|
||||||
|
|
||||||
*)
|
mixed)
|
||||||
{
|
{
|
||||||
echo " do-ip4: yes"
|
echo " do-ip4: yes"
|
||||||
echo " do-ip6: yes"
|
echo " do-ip6: yes"
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
;;
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||||
|
logger -t unbound -s "default protocol configuration"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
@ -708,15 +759,6 @@ unbound_conf() {
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
|
|
||||||
|
|
||||||
{
|
|
||||||
# Default Files
|
|
||||||
echo " use-syslog: yes"
|
|
||||||
echo " chroot: \"$UNBOUND_VARDIR\""
|
|
||||||
echo " directory: \"$UNBOUND_VARDIR\""
|
|
||||||
echo " pidfile: \"$UNBOUND_PIDFILE\""
|
|
||||||
} >> $UNBOUND_CONFFILE
|
|
||||||
|
|
||||||
|
|
||||||
if [ -f "$UNBOUND_HINTFILE" ] ; then
|
if [ -f "$UNBOUND_HINTFILE" ] ; then
|
||||||
# Optional hints if found
|
# Optional hints if found
|
||||||
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
|
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
|
||||||
|
@ -764,7 +806,7 @@ unbound_conf() {
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
|
|
||||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||||
logger -t unbound -s "default memory resource consumption"
|
logger -t unbound -s "default memory configuration"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Assembly of module-config: options is tricky; order matters
|
# Assembly of module-config: options is tricky; order matters
|
||||||
|
@ -803,27 +845,26 @@ unbound_conf() {
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
|
|
||||||
|
|
||||||
if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
|
||||||
{
|
|
||||||
# Some query privacy but "strict" will break some name servers
|
|
||||||
echo " qname-minimisation: yes"
|
|
||||||
echo " qname-minimisation-strict: yes"
|
|
||||||
} >> $UNBOUND_CONFFILE
|
|
||||||
|
|
||||||
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
|
||||||
# Minor improvement on query privacy
|
|
||||||
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
|
|
||||||
|
|
||||||
else
|
|
||||||
echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
case "$UNBOUND_D_RECURSION" in
|
case "$UNBOUND_D_RECURSION" in
|
||||||
passive)
|
passive)
|
||||||
{
|
{
|
||||||
echo " prefetch: no"
|
# Some query privacy but "strict" will break some servers
|
||||||
|
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
|
||||||
|
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||||
|
echo " qname-minimisation: yes"
|
||||||
|
echo " qname-minimisation-strict: yes"
|
||||||
|
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||||
|
echo " qname-minimisation: yes"
|
||||||
|
else
|
||||||
|
echo " qname-minimisation: no"
|
||||||
|
fi
|
||||||
|
# Use DNSSEC to quickly understand NXDOMAIN ranges
|
||||||
|
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
|
||||||
|
echo " aggressive-nsec: yes"
|
||||||
echo " prefetch-key: no"
|
echo " prefetch-key: no"
|
||||||
|
fi
|
||||||
|
# On demand fetching
|
||||||
|
echo " prefetch: no"
|
||||||
echo " target-fetch-policy: \"0 0 0 0 0\""
|
echo " target-fetch-policy: \"0 0 0 0 0\""
|
||||||
echo
|
echo
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
|
@ -831,8 +872,23 @@ unbound_conf() {
|
||||||
|
|
||||||
aggressive)
|
aggressive)
|
||||||
{
|
{
|
||||||
echo " prefetch: yes"
|
# Some query privacy but "strict" will break some servers
|
||||||
|
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
|
||||||
|
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||||
|
echo " qname-minimisation: yes"
|
||||||
|
echo " qname-minimisation-strict: yes"
|
||||||
|
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||||
|
echo " qname-minimisation: yes"
|
||||||
|
else
|
||||||
|
echo " qname-minimisation: no"
|
||||||
|
fi
|
||||||
|
# Use DNSSEC to quickly understand NXDOMAIN ranges
|
||||||
|
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
|
||||||
|
echo " aggressive-nsec: yes"
|
||||||
echo " prefetch-key: yes"
|
echo " prefetch-key: yes"
|
||||||
|
fi
|
||||||
|
# Prefetch what can be
|
||||||
|
echo " prefetch: yes"
|
||||||
echo " target-fetch-policy: \"3 2 1 0 0\""
|
echo " target-fetch-policy: \"3 2 1 0 0\""
|
||||||
echo
|
echo
|
||||||
} >> $UNBOUND_CONFFILE
|
} >> $UNBOUND_CONFFILE
|
||||||
|
@ -1070,6 +1126,7 @@ unbound_uci() {
|
||||||
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
|
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
|
||||||
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
|
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
|
||||||
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
|
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
|
||||||
|
config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
|
||||||
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
|
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
|
||||||
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
|
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
|
||||||
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
|
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
|
||||||
|
@ -1165,7 +1222,7 @@ unbound_uci() {
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
_resolv_setup() {
|
unbound_resolv_setup() {
|
||||||
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
|
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
|
@ -1194,7 +1251,7 @@ _resolv_setup() {
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
_resolv_teardown() {
|
unbound_resolv_teardown() {
|
||||||
case $( cat /tmp/resolv.conf ) in
|
case $( cat /tmp/resolv.conf ) in
|
||||||
*"generated by Unbound UCI"*)
|
*"generated by Unbound UCI"*)
|
||||||
# our resolver file, reset to auto resolver file.
|
# our resolver file, reset to auto resolver file.
|
||||||
|
@ -1209,8 +1266,6 @@ _resolv_teardown() {
|
||||||
unbound_start() {
|
unbound_start() {
|
||||||
config_load unbound
|
config_load unbound
|
||||||
config_foreach unbound_uci unbound
|
config_foreach unbound_uci unbound
|
||||||
|
|
||||||
|
|
||||||
unbound_mkdir
|
unbound_mkdir
|
||||||
|
|
||||||
|
|
||||||
|
@ -1229,19 +1284,18 @@ unbound_start() {
|
||||||
|
|
||||||
|
|
||||||
unbound_forward
|
unbound_forward
|
||||||
|
unbound_auth_root
|
||||||
unbound_control
|
unbound_control
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
_resolv_setup
|
unbound_resolv_setup
|
||||||
}
|
}
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
|
||||||
unbound_stop() {
|
unbound_stop() {
|
||||||
_resolv_teardown
|
unbound_resolv_teardown
|
||||||
|
|
||||||
|
|
||||||
rootzone_update
|
rootzone_update
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -15,13 +15,14 @@ config unbound
|
||||||
option listen_port '53'
|
option listen_port '53'
|
||||||
option localservice '1'
|
option localservice '1'
|
||||||
option manual_conf '0'
|
option manual_conf '0'
|
||||||
option protocol 'mixed'
|
option prefetch_root '0'
|
||||||
|
option protocol 'default'
|
||||||
option query_minimize '0'
|
option query_minimize '0'
|
||||||
option query_min_strict '0'
|
option query_min_strict '0'
|
||||||
option rebind_localhost '0'
|
option rebind_localhost '0'
|
||||||
option rebind_protection '1'
|
option rebind_protection '1'
|
||||||
option recursion 'passive'
|
option recursion 'default'
|
||||||
option resource 'small'
|
option resource 'default'
|
||||||
option root_age '9'
|
option root_age '9'
|
||||||
option ttl_min '120'
|
option ttl_min '120'
|
||||||
option unbound_control '0'
|
option unbound_control '0'
|
||||||
|
|
Loading…
Reference in a new issue