LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

Merge pull request #3631 from EricLuehrsen/unbound_manconf 

Unbound: fix regression of manual conf for power user
lilik-openwrt-22.03
Hannu Nyman 8 years ago
committed by GitHub
parent
72ea367a15 1ed2270670
commit
9f7da38e77
3 changed files with 18 additions and 13 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/unbound/Makefile
  2. +12
    -1
      net/unbound/files/README.md
  3. +5
    -11
      net/unbound/files/unbound.sh

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.5.10
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 12
- 1
net/unbound/files/README.md View File

@ -20,7 +20,18 @@ Some UCI options will help Unbound and dnsmasq work together in **parallel**. Th
Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
## UCI Options
## Back to Manual Configuration
You don't want UCI, but don't worry. We have UCI for that. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM.
All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`.
Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
config unbound
option manual_conf '1'
option root_age '30'
## Complete List of UCI Options
**/etc/config/unbound**:
config unbound


+ 5
- 11
net/unbound/files/unbound.sh View File

@ -104,6 +104,7 @@ create_domain_insecure() {
unbound_mkdir() {
mkdir -p $UNBOUND_VARDIR
touch $UNBOUND_CONFFILE
if [ -f /etc/unbound/root.hints ] ; then
@ -478,13 +479,6 @@ unbound_uci() {
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
if [ -f /etc/unbound/unbound.conf ] ; then
# You don't want UCI and use your own manual configuration
# or with no base file whatever Unbound defaults are.
cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
fi
# Don't want this being triggered. Maybe we could, but then the
# base conf you provide would need to be just right.
UNBOUND_B_DNSMASQ=0
@ -505,13 +499,13 @@ unbound_own () {
} > $UNBOUND_CHECKFILE
if [ ! -f "$UNBOUND_CONFFILE" ] ; then
# if somehow this happened
touch $UNBOUND_CONFFILE
if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
# You are doing your own thing, so just copy /etc/ to /var/
cp -p /etc/unbound/* $UNBOUND_VARDIR/
fi
# Ensure Access
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
chmod 664 $UNBOUND_VARDIR/*


Write Preview
Loading…
Cancel
Save