unbound: improve interface trigger behavior

procd interface triggers may be busy. Unbound hard restarts will flush the cache. This might happen frequently depending on how interface triggers occur. Change the procd trigger to reduce occurences. Load this trigger prior to netifd (START=20), but only truly start Unbound from the trigger rather than immediately in init. Clean up log entries in scripts after Unbound, NTP, and DNSSEC are established. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2017-03-25 01:53:28 -04:00 · 2017-03-25 01:53:28 -04:00 · e6520cf249
commit e6520cf249
parent fb199062a6
5 changed files with 53 additions and 13 deletions
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.6.1
-PKG_RELEASE:=5
+PKG_RELEASE:=6

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/net/unbound/files/odhcpd.awk
+++ b/net/unbound/files/odhcpd.awk
@ -28,10 +28,13 @@

 /^#/ {
  # We need to pick out DHCP v4 or v6 records
-  net = $2 ; id = $3 ; cls = $4 ; hst = $5 ; adr = $9 ;
+  net = $2 ; id = $3 ; cls = $4 ; hst = $5 ; adr = $9 ; adr2 = $10
  cdr = adr ;
+  cdr2 = adr2 ;
  sub( /\/.*/, "", adr ) ;
  sub( /.*\//, "", cdr ) ;
+  sub( /\/.*/, "", adr2 ) ;
+  sub( /.*\//, "", cdr2 ) ;


  if ( bisolt == 1 ) {
@ -132,6 +135,22 @@
        print ( x "\n" y ) > hostfile ;
      }
    }
+    
+    if (( cdr2 == 128 ) && ( hst != "-" )) {
+      if ( bconf == 1 ) {
+        x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr2 "\"" ) ;
+        y = ( "local-data-ptr: \"" adr2 " 120 " fqdn "\"" ) ;
+        print ( x "\n" y ) > hostfile ;
+      }
+
+      else {
+        # odhcp puts GA and ULA on the same line (position 9 and 10)
+        qpr2 = ipv6_ptr( adr2 ) ;
+        x = ( fqdn ". 120 IN AAAA " adr2 ) ;
+        y = ( qpr2 ". 120 IN PTR " fqdn ) ;
+        print ( x "\n" y ) > hostfile ;
+      }
+    }
  }
 }

--- a/net/unbound/files/unbound.init
+++ b/net/unbound/files/unbound.init
@ -9,7 +9,8 @@
 #
 ##############################################################################

-START=60
+START=19
+STOP=50
 USE_PROCD=1
 PROG=/usr/sbin/unbound

@ -19,9 +20,18 @@ PROG=/usr/sbin/unbound

 ##############################################################################

+boot() {
+  UNBOUND_BOOT=1
+  start "$@"
+}
+
+##############################################################################
+
 start_service() {
-  # WAIT! Unbound often takes its time writing closure stats to syslog
-  pidof $PROG && sleep 1
+  if [ -n "$UNBOUND_BOOT" ] ; then
+    # Load procd triggers (rc) and use event IFUP to really start
+    return 0
+  fi

  # complex UCI work
  unbound_start
@ -37,13 +47,17 @@ start_service() {

 stop_service() {
  unbound_stop
+  
+  # Wait! on restart Unbound may take time writing closure stats to syslog
+  pidof $PROG && sleep 1
 }

 ##############################################################################

 service_triggers() {
+  # use soft reload to prevent continuous stop-start and cache flush
  procd_add_reload_trigger "unbound"
-  procd_add_raw_trigger "interface.*" 2000 /etc/init.d/unbound restart
+  procd_add_raw_trigger "interface.*.up" 2000 /etc/init.d/unbound reload
 }

 ##############################################################################
--- a/net/unbound/files/unbound.ntpd
+++ b/net/unbound/files/unbound.ntpd
@ -20,6 +20,7 @@
 if [ "$ACTION" = stratum -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  echo "ntpd: $( date )" > $UNBOUND_TIMEFILE
  /etc/init.d/unbound enabled && /etc/init.d/unbound restart
+  # Yes, hard RESTART. We need to be absolutely sure to enable DNSSEC.
 fi

 ##############################################################################
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -315,7 +315,7 @@ unbound_mkdir() {
      # Debian-like package dns-root-data
      cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE

-    else
+    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "iterator will use built-in root hints"
    fi
  fi
@ -329,7 +329,7 @@ unbound_mkdir() {
    elif [ -x $UNBOUND_ANCHOR ] ; then
      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE

-    else
+    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "validator will use built-in trust anchor"
    fi
  fi
@ -526,7 +526,7 @@ unbound_conf() {
      echo
    } >> $UNBOUND_CONFFILE

-  else
+  elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
    logger -t unbound -s "default memory resource consumption"
  fi

@ -602,7 +602,9 @@ unbound_conf() {
      ;;

    *)
-      logger -t unbound -s "default recursion configuration"
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default recursion configuration"
+      fi
      ;;
  esac

@ -822,7 +824,11 @@ unbound_uci() {

    if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
      UNBOUND_D_DHCP_LINK=dnsmasq
-      logger -t unbound -s "Please use 'dhcp_link' selector instead"
+      
+      
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "Please use 'dhcp_link' selector instead"
+      fi
    fi
  fi

@ -835,7 +841,7 @@ unbound_uci() {
    fi


-    if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
+    if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "cannot forward to dnsmasq"
    fi
  fi
@ -849,7 +855,7 @@ unbound_uci() {
    fi


-    if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
+    if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "cannot receive records from odhcpd"
    fi
  fi