Merge pull request #3665 from EricLuehrsen/unbound_1_6_0

unbound: update to 1.6.0

net/unbound/Makefile

@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
-PKG_VERSION:=1.5.10
+PKG_VERSION:=1.6.0
-PKG_RELEASE:=6
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@hotmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_MD5SUM:=0a3a236811f1ab5c1dc31974fa74e047
+PKG_MD5SUM:=78409eccf7260d260b6463f85e59c66b
 
 PKG_BUILD_DEPENDS:=libexpat
 PKG_BUILD_PARALLEL:=1

net/unbound/files/README.md

@@ -79,8 +79,12 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou
 		"drill -x 192.168.10.201 ~ NODATA" (insted of james-laptop.lan)
 
 	option edns_size '1280'
-		Extended DNS is necessary for DNSSEC. However, it can run into MTU
+		Bytes. Extended DNS is necessary for DNSSEC. However, it can run 
-		issues. Use this size in bytes to manage drop outs.
+		into MTU issues. Use this size in bytes to manage drop outs.
+
+	option hide_binddata '1'
+		Boolean. If enabled version.server, version.bind, id.server, and 
+		hostname.bind queries are refused.
 
 	option listen_port '53'
 		Port. Incoming. Where Unbound will listen for queries.
@@ -93,9 +97,21 @@ Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbou
 		Boolean. Skip all this UCI nonsense. Manually edit the
 		configuration. Make changes to /etc/unbound/unbound.conf.
 
+	option protocol 'mixed'
+		Unbound can limit its protocol: "ip4_only" for ISP behind the time,
+		"ip6_only" for testing, "ip6_prefer" for ISP with good IP6 support,
+		or default-all "mixed." This affects the protocol	used to 
+		communicate. The DNS responses always include hosts respective IP4
+		and IP6 data.
+
 	option query_minimize '0'
-		Boolean. Enable a minor privacy option. Query only one name piece
+		Boolean. Enable a minor privacy option. Don't let each server know
-		at a time. Don't let each server know the next recursion.
+		the next recursion. Query one piece at a time.
+
+	option query_min_strict '0'
+		Boolean. Query minimize is best effort and will fall back to normal
+		when it must. This option prevents the fall back, but less than
+		standard name servers will fail to resolve their domains.
 
 	option rebind_localhost '0'
 		Boolean. Prevent loopback "127.0.0.0/8" or "::1/128" responses.

net/unbound/files/unbound.ntpd

@@ -18,7 +18,7 @@
 ##############################################################################
 
 if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] \
-  && /etc/init.d/dnsmasq enabled ; then
+  && /etc/init.d/unbound enabled ; then
   #
   echo "ntpd: $( date )" > $UNBOUND_TIMEFILE
   /etc/init.d/unbound restart

net/unbound/files/unbound.sh

@@ -25,6 +25,7 @@ UNBOUND_B_DNSMASQ=0
 UNBOUND_B_DNSSEC=0
 UNBOUND_B_DNS64=0
 UNBOUND_B_GATE_NAME=0
+UNBOUND_B_HIDE_BIND=1
 UNBOUND_B_LOCL_BLCK=0
 UNBOUND_B_LOCL_NAME=0
 UNBOUND_B_LOCL_SERV=1
@@ -32,11 +33,13 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_PRIV_BLCK=1
 UNBOUND_B_QUERY_MIN=0
+UNBOUND_B_QRY_MINST=0
 
 UNBOUND_IP_DNS64="64:ff9b::/96"
 
 UNBOUND_D_RESOURCE=small
 UNBOUND_D_RECURSION=passive
+UNBOUND_D_PROTOCOL=mixed
 
 UNBOUND_TXT_FWD_ZONE=""
 UNBOUND_TTL_MIN=120
@@ -207,6 +210,38 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
+  case "$UNBOUND_D_PROTOCOL" in
+    ip4_only)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: no"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    ip6_only)
+      {
+        echo "  do-ip4: no"
+        echo "  do-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    ip6_prefer)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: yes"
+        echo "  prefer-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+
+    *)
+      {
+        echo "  do-ip4: yes"
+        echo "  do-ip6: yes"
+      } >> $UNBOUND_CONFFILE
+      ;;
+  esac
+
+
   {
     # protocol level tuning
     echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
@@ -324,7 +359,14 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+    {
+      # Some query privacy but "strict" will break some name servers
+      echo "  qname-minimisation: yes"
+      echo "  qname-minimisation-strict: yes"
+    } >> $UNBOUND_CONFFILE
+
+  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
     # Minor improvement on query privacy
     echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
 
@@ -370,10 +412,23 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
+  if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
+    {
+      # Block server id and version DNS TXT records
+      echo "  hide-identity: yes"
+      echo "  hide-version: yes"
+      echo
+    } >> $UNBOUND_CONFFILE
+  fi
+
+
   if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
     {
-      # Remove DNS reponses from upstream with private IP
+      # Remove _upstream_ or global reponses with private addresses.
+      # Unbounds own "local zone" and "forward zone" may still use these.
+      # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
       echo "  private-address: 10.0.0.0/8"
+      echo "  private-address: 100.64.0.0/10"
       echo "  private-address: 169.254.0.0/16"
       echo "  private-address: 172.16.0.0/12"
       echo "  private-address: 192.168.0.0/16"
@@ -441,12 +496,14 @@ unbound_uci() {
   ####################
 
   config_get_bool UNBOUND_B_DNS64     "$cfg" dns64 0
-  config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmsaq_gate_name 0
+  config_get_bool UNBOUND_B_GATE_NAME "$cfg" dnsmasq_gate_name 0
   config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0
+  config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
   config_get_bool UNBOUND_B_LOCL_NAME "$cfg" dnsmasq_only_local 0
   config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
   config_get_bool UNBOUND_B_MAN_CONF  "$cfg" manual_conf 0
   config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
+  config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
   config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
   config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
   config_get_bool UNBOUND_B_CONTROL   "$cfg" unbound_control 0
@@ -454,11 +511,15 @@ unbound_uci() {
   config_get_bool UNBOUND_B_NTP_BOOT  "$cfg" validator_ntp 1
 
   config_get UNBOUND_IP_DNS64    "$cfg" dns64_prefix "64:ff9b::/96"
+
   config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
   config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
+  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+
+  config_get UNBOUND_D_PROTOCOL  "$cfg" protocol mixed
   config_get UNBOUND_D_RECURSION "$cfg" recursion passive
   config_get UNBOUND_D_RESOURCE  "$cfg" resource small
-  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+
   config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120
 
 

net/unbound/files/unbound.uci

@@ -1,14 +1,17 @@
 config unbound
 	option dns64 '0'
 	option dns64_prefix '64:ff9b::/96'
-	option dnsmsaq_gate_name '0'
+	option dnsmasq_gate_name '0'
 	option dnsmasq_link_dns '0'
 	option dnsmasq_only_local '0'
 	option edns_size '1280'
+	option hide_binddata '1'
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
+	option protocol 'mixed'
 	option query_minimize '0'
+	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
 	option recursion 'passive'

net/unbound/patches/001-conf.patch

@@ -1,12 +1,12 @@
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index c520c88..98a148a 100644
+index 55bbc32..14452fa 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
 @@ -1,20 +1,82 @@
 -#
 -# Example configuration file.
 -#
--# See unbound.conf(5) man page, version 1.5.10.
+-# See unbound.conf(5) man page, version 1.6.0.
 -#
 -# this is a comment.
 +##############################################################################