LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23238 Commits
1 Branch
46 MiB
Tree: 6375f73b29
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6375f73b29'
${ noResults }
openwrt-packages-dist/net/unbound/patches/100-example-conf-in.patch

86 lines
2.9 KiB
Raw Normal View History

unbound: add patches for leaks during TLS query Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
6 years ago
unbound: log openssl-1.0.2 lacks TLS host verification ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do host cert verification. DNS over TLS connects, but hosts are unverified. A patch for log err is added with a noitce in README.md. (see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658) Also, squash some minor robustness and TLS usability fixes. Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
6 years ago
Import net/unbound package from Subversion This is an import of the net/unbound package from Subversion revision 40658 (May 2, 2014). The only change is the addition of PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile. Unbound 1.4.22 is the current upstream release. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
10 years ago
unbound: update to 1.7.3 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
6 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
unbound: update to 1.6.4 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
7 years ago
unbound: update to 1.7.3 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
6 years ago
Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Import net/unbound package from Subversion This is an import of the net/unbound package from Subversion revision 40658 (May 2, 2014). The only change is the addition of PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile. Unbound 1.4.22 is the current upstream release. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
10 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
unbound: Update to 1.6.1 with 2017 trust anchor Unbound 1.6.1 has a few bug fixes for resource leaks, configuration robustness, compile environment interaction, and maintaining the trust anchor. The 2017 trust anchor (DS) is built into unbound and unbound-anchor. File /etc/unbound/root.key holds 2010/2017 DS record until 2018 https://www.icann.org/resources/pages/ksk-rollover https://www.iana.org/domains/root Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
7 years ago
Import net/unbound package from Subversion This is an import of the net/unbound package from Subversion revision 40658 (May 2, 2014). The only change is the addition of PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile. Unbound 1.4.22 is the current upstream release. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
10 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Import net/unbound package from Subversion This is an import of the net/unbound package from Subversion revision 40658 (May 2, 2014). The only change is the addition of PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile. Unbound 1.4.22 is the current upstream release. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
10 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Import net/unbound package from Subversion This is an import of the net/unbound package from Subversion revision 40658 (May 2, 2014). The only change is the addition of PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile. Unbound 1.4.22 is the current upstream release. Signed-off-by: Michael Hanselmann <public@hansmi.ch>
10 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Incorporate hotplug/iface and root.key in tmpfs -Patch for /etc/unbound/unbound.conf --All work done in /var/lib/unbound/ --chroot or jail to /var/lib/unbound/ -Init script points to /usr/lib/unbound.sh -Makefile to install new scripts in the package Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
unbound: update to 1.7.3 Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
6 years ago
Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
8 years ago
 
  1. OpenWrt (modification):
  2. Patch the default configuration file with the tiny memory
  3. configuration example from Unbound documentation. This is the best
  4. starting point for embedded routers if one is not going to use UCI.
  5. 

  6. Index: doc/example.conf.in

  7. ===================================================================

  8. --- a/doc/example.conf.in

  9. +++ b/doc/example.conf.in

  10. @@ -15,6 +15,76 @@ server:

  11.  	# verbosity number, 0 is least verbose. 1 is default.
  12.  	verbosity: 1
  13. 

  14. +	############################################################################

  15. +	# MEMORY CONTROL EXAMPLE

  16. +	# In the example config settings below memory usage is reduced. Some ser-

  17. +	# vice levels are lower, notable very large data and a high TCP load are

  18. +	# no longer supported ... are exceptional for the DNS.

  19. +	# (http://unbound.net/documentation/unbound.conf.html)

  20. +	############################################################################

  21. +

  22. +	# Self jail Unbound with user "unbound" to /var/lib/unbound

  23. +	# The script /etc/init.d/unbound will setup the location

  24. +	username: "unbound"

  25. +	directory: "/var/lib/unbound"

  26. +	chroot: "/var/lib/unbound"

  27. +

  28. +	# The pid file is created before privleges drop so no concern

  29. +	pidfile: "/var/run/unbound.pid"

  30. +

  31. +	# no threads and no memory slabs for threads

  32. +	num-threads: 1

  33. +	msg-cache-slabs: 1

  34. +	rrset-cache-slabs: 1

  35. +	infra-cache-slabs: 1

  36. +	key-cache-slabs: 1

  37. +

  38. +	# don't be picky about interfaces but consider your firewall

  39. +	interface: 0.0.0.0

  40. +	interface: ::0

  41. +	access-control: 0.0.0.0/0 allow

  42. +	access-control: ::0/0 allow

  43. +

  44. +	# this limits TCP service but uses less buffers

  45. +	outgoing-num-tcp: 1

  46. +	incoming-num-tcp: 1

  47. +

  48. +	# use somewhat higher port numbers versus possible NAT issue

  49. +	outgoing-port-permit: "10240-65335"

  50. +

  51. +	# uses less memory but less performance

  52. +	outgoing-range: 60

  53. +	num-queries-per-thread: 30

  54. +

  55. +	# exclude large responses

  56. +	msg-buffer-size: 8192

  57. +

  58. +	# tiny memory cache

  59. +	infra-cache-numhosts: 200

  60. +	msg-cache-size: 100k

  61. +	rrset-cache-size: 100k

  62. +	key-cache-size: 100k

  63. +	neg-cache-size: 10k

  64. +

  65. +	# gentle on recursion

  66. +	target-fetch-policy: "2 1 0 0 0 0"

  67. +	harden-large-queries: yes

  68. +	harden-short-bufsize: yes

  69. +

  70. +	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-

  71. +	# -anchor-file:" The init script will copy root key to /var/lib/unbound.

  72. +	# See package documentation for crontab entry to copy RFC5011 results back.

  73. +	#module-config: "validator iterator"

  74. +	#auto-trust-anchor-file: "/var/lib/unbound/root.key"

  75. +

  76. +	# DNSSEC needs real time to validate signatures. If your device does not

  77. +	# have power off clock (reboot), then you may need this work around.

  78. +	#domain-insecure: "pool.ntp.org"

  79. +

  80. +	############################################################################

  81. +	# Resume Stock example.conf.in

  82. +	############################################################################

  83. +

  84.  	# print statistics to the log (for every thread) every N seconds.
  85.  	# Set to "" or 0 to disable. Default is disabled.
  86.  	# statistics-interval: 0