From acf40cf6aefd30f3f2040c3eda783ddf7d553dc5 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 17 Oct 2016 00:10:36 -0400 Subject: [PATCH] Unbound: Group patch work for example.conf.in -Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen --- net/unbound/patches/001-conf.patch | 207 ++++++++++++----------------- 1 file changed, 84 insertions(+), 123 deletions(-) diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index f5cb8f41d..a318f6092 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -1,133 +1,94 @@ +diff --git a/doc/example.conf.in b/doc/example.conf.in +index c520c88..af92a87 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -38,6 +38,8 @@ server: - # interface: 192.0.2.154 - # interface: 192.0.2.154@5003 - # interface: 2001:DB8::5 +@@ -1,20 +1,81 @@ +-# +-# Example configuration file. +-# +-# See unbound.conf(5) man page, version 1.5.10. +-# +-# this is a comment. ++############################################################################## ++# MEMORY CONTROL EXAMPLE ++# In the example config settings below memory usage is reduced. Some ser- ++# vice levels are lower, notable very large data and a high TCP load are ++# no longer supported ... are exceptional for the DNS. ++# (http://unbound.net/documentation/unbound.conf.html) ++############################################################################## + + #Use this to include other text into the file. + #include: "otherfile.conf" + + # The server clause sets the main parameters. + server: +- # whitespace is not necessary, but looks cleaner. + +- # verbosity number, 0 is least verbose. 1 is default. ++ # verbosity 1 is default + verbosity: 1 + ++ # prevent any upstream core surprises (OpenWrt assumptions) ++ username: "unbound" ++ pidfile: "/var/run/unbound.pid" ++ directory: "/etc/unbound" ++ chroot: "" ++ ++ # no threads and no memory slabs for threads ++ num-threads: 1 ++ msg-cache-slabs: 1 ++ rrset-cache-slabs: 1 ++ infra-cache-slabs: 1 ++ key-cache-slabs: 1 ++ ++ # don't be picky about interfaces but consider your firewall + interface: 0.0.0.0 + interface: ::0 - - # enable this feature to copy the source address of queries to reply. - # Socket options are not supported on all platforms. experimental. -@@ -66,6 +68,7 @@ server: - # port range that can be open simultaneously. About double the - # num-queries-per-thread, or, use as many as the OS will allow you. - # outgoing-range: 4096 -+ outgoing-range: 60 - - # permit unbound to use this port number or port range for - # making outgoing queries, using an outgoing interface. -@@ -82,9 +85,11 @@ server: - - # number of outgoing simultaneous tcp buffers to hold per thread. - # outgoing-num-tcp: 10 -+ outgoing-num-tcp: 1 - - # number of incoming simultaneous tcp buffers to hold per thread. - # incoming-num-tcp: 10 ++ access-control: 0.0.0.0/0 allow ++ access-control: ::0/0 allow ++ ++ # this limits TCP service but uses less buffers ++ outgoing-num-tcp: 1 + incoming-num-tcp: 1 - - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). - # 0 is system default. Use 4m to catch query spikes for busy servers. -@@ -118,18 +123,22 @@ server: - # buffer size for handling DNS data. No messages larger than this - # size can be sent or received, by UDP or TCP. In bytes. - # msg-buffer-size: 65552 ++ ++ # use somewhat higher port numbers versus possible NAT issue ++ outgoing-port-permit: "10240-65335" ++ ++ # uses less memory, but less performance ++ outgoing-range: 60 ++ num-queries-per-thread: 30 ++ ++ # exclude large responses + msg-buffer-size: 8192 - - # the amount of memory to use for the message cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # msg-cache-size: 4m ++ ++ # tiny memory cache ++ infra-cache-numhosts: 200 + msg-cache-size: 100k - - # the number of slabs to use for the message cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # msg-cache-slabs: 4 -+ msg-cache-slabs: 1 - - # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 -+ num-queries-per-thread: 30 - - # if very busy, 50% queries run to completion, 50% get timeout in msec - # jostle-timeout: 200 -@@ -140,11 +149,13 @@ server: - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # rrset-cache-size: 4m + rrset-cache-size: 100k - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # rrset-cache-slabs: 4 -+ rrset-cache-slabs: 1 - - # the time to live (TTL) value lower bound, in seconds. Default 0. - # If more than an hour could easily give trouble due to stale data. -@@ -168,9 +179,11 @@ server: - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # infra-cache-slabs: 4 -+ infra-cache-slabs: 1 - - # the maximum number of hosts that are cached (roundtrip, EDNS, lame). - # infra-cache-numhosts: 10000 -+ infra-cache-numhosts: 200 - - # define a number of tags here, use with local-zone, access-control. - # repeat the define-tag statement to add additional tags. -@@ -215,6 +228,8 @@ server: - # access-control: ::0/0 refuse - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow -+ access-control: 0.0.0.0/0 allow -+ access-control: ::0/0 allow - - # tag access-control with list of tags (in "" with spaces between) - # Clients using this access control element use localzones that -@@ -309,12 +324,15 @@ server: - # positive value: fetch that many targets opportunistically. - # Enclose the list of numbers between quotes (""). - # target-fetch-policy: "3 2 1 0 0" -+ target-fetch-policy: "2 1 0 0 0 0" - - # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no -+ harden-short-bufsize: yes - - # Harden against unseemly large queries. - # harden-large-queries: no -+ harden-large-queries: yes - - # Harden against out of zone rrsets, to avoid spoofing attempts. - # harden-glue: yes -@@ -414,7 +432,7 @@ server: - # you start unbound (i.e. in the system boot scripts). And enable: - # Please note usage of unbound-anchor root anchor is at your own risk - # and under the terms of our LICENSE (see that file in the source). -- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" -+ auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - - # File with DLV trusted keys. Same format as trust-anchor-file. - # There can be only one DLV configured, it is trusted from root down. -@@ -504,15 +522,18 @@ server: - # the amount of memory to use for the key cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - # key-cache-size: 4m + key-cache-size: 100k - - # the number of slabs to use for the key cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - # key-cache-slabs: 4 -+ key-cache-slabs: 1 - - # the amount of memory to use for the negative cache (used for DLV). - # plain value in bytes or you can append k, m or G. default is "1Mb". - # neg-cache-size: 1m + neg-cache-size: 10k - - # By default, for a number of zones a small default 'nothing here' - # reply is built-in. Query traffic is thus blocked. If you ++ ++ # gentle on recursion ++ target-fetch-policy: "2 1 0 0 0 0" ++ harden-large-queries: yes ++ harden-short-bufsize: yes ++ ++ # Enable a trust anchor and modules "validator iterator." However, Unbound ++ # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM. ++ # "/etc/unbound" (directory & files) needs chown for write access. Else, use ++ # plain "trust-anchor-" to treat the key file as static. ++ #module-config: "validator iterator" ++ #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ ++ # DNSSEC needs real time to validate signatures. If your device does not ++ # have power off clock (reboot), then you may need this work around. ++ #domain-insecure: "pool.ntp.org" ++ ++############################################################################## ++# Resume Stock example.conf.in ++############################################################################## ++ + # print statistics to the log (for every thread) every N seconds. + # Set to "" or 0 to disable. Default is disabled. + # statistics-interval: 0