diff --git a/net/unbound/Makefile b/net/unbound/Makefile index eb82db766..17f3065f1 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.5.10 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index a850a65f4..a66ac74b5 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -20,7 +20,18 @@ Some UCI options will help Unbound and dnsmasq work together in **parallel**. Th Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay. -## UCI Options +## Back to Manual Configuration +You don't want UCI, but don't worry. We have UCI for that. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM. + +All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`. + +Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity. + + config unbound + option manual_conf '1' + option root_age '30' + +## Complete List of UCI Options **/etc/config/unbound**: config unbound diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 831210298..568c62741 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -104,6 +104,7 @@ create_domain_insecure() { unbound_mkdir() { mkdir -p $UNBOUND_VARDIR + touch $UNBOUND_CONFFILE if [ -f /etc/unbound/root.hints ] ; then @@ -478,13 +479,6 @@ unbound_uci() { if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then - if [ -f /etc/unbound/unbound.conf ] ; then - # You don't want UCI and use your own manual configuration - # or with no base file whatever Unbound defaults are. - cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE - fi - - # Don't want this being triggered. Maybe we could, but then the # base conf you provide would need to be just right. UNBOUND_B_DNSMASQ=0 @@ -505,13 +499,13 @@ unbound_own () { } > $UNBOUND_CHECKFILE - if [ ! -f "$UNBOUND_CONFFILE" ] ; then - # if somehow this happened - touch $UNBOUND_CONFFILE + if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then + # You are doing your own thing, so just copy /etc/ to /var/ + cp -p /etc/unbound/* $UNBOUND_VARDIR/ fi - # Ensure Access + # Ensure access and prepare to jail chown -R unbound:unbound $UNBOUND_VARDIR chmod 775 $UNBOUND_VARDIR chmod 664 $UNBOUND_VARDIR/*