Browse Source
Unbound: Group patch work for example.conf.in
-Remove interlaced configuration changes --Less sensitive to upstream example.conf changes --Easier to read patch-of-patch work for maintenance -Use MEMORY CONTROL EXAMPLE from http://unbound.net/ --Review and rework with respect to previous pacakge --Effectively the same configuration as previous package -Disable DNSSEC by default due to real-time chicken-n-egg --Many OpenWrt target devices have no power-off clock (reboot) --User choice of work around should be conscious --Initial install should not fail reboot with DNSSEC default -Add some defaults explicitly to prevent surprises Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>lilik-openwrt-22.03
Eric Luehrsen
8 years ago
1 changed files with 84 additions and 123 deletions
Unified View
Diff Options
-
+84 -123net/unbound/patches/001-conf.patch
+ 84
- 123
net/unbound/patches/001-conf.patch
View File
| @ -1,133 +1,94 @@ | |||||
| diff --git a/doc/example.conf.in b/doc/example.conf.in | |||||
| index c520c88..af92a87 100644 | |||||
| --- a/doc/example.conf.in | --- a/doc/example.conf.in | ||||
| +++ b/doc/example.conf.in | +++ b/doc/example.conf.in | ||||
| @@ -38,6 +38,8 @@ server: | |||||
| # interface: 192.0.2.154 | |||||
| # interface: 192.0.2.154@5003 | |||||
| # interface: 2001:DB8::5 | |||||
| @@ -1,20 +1,81 @@ | |||||
| -# | |||||
| -# Example configuration file. | |||||
| -# | |||||
| -# See unbound.conf(5) man page, version 1.5.10. | |||||
| -# | |||||
| -# this is a comment. | |||||
| +############################################################################## | |||||
| +# MEMORY CONTROL EXAMPLE | |||||
| +# In the example config settings below memory usage is reduced. Some ser- | |||||
| +# vice levels are lower, notable very large data and a high TCP load are | |||||
| +# no longer supported ... are exceptional for the DNS. | |||||
| +# (http://unbound.net/documentation/unbound.conf.html) | |||||
| +############################################################################## | |||||
| #Use this to include other text into the file. | |||||
| #include: "otherfile.conf" | |||||
| # The server clause sets the main parameters. | |||||
| server: | |||||
| - # whitespace is not necessary, but looks cleaner. | |||||
| - # verbosity number, 0 is least verbose. 1 is default. | |||||
| + # verbosity 1 is default | |||||
| verbosity: 1 | |||||
| + # prevent any upstream core surprises (OpenWrt assumptions) | |||||
| + username: "unbound" | |||||
| + pidfile: "/var/run/unbound.pid" | |||||
| + directory: "/etc/unbound" | |||||
| + chroot: "" | |||||
| + | |||||
| + # no threads and no memory slabs for threads | |||||
| + num-threads: 1 | |||||
| + msg-cache-slabs: 1 | |||||
| + rrset-cache-slabs: 1 | |||||
| + infra-cache-slabs: 1 | |||||
| + key-cache-slabs: 1 | |||||
| + | |||||
| + # don't be picky about interfaces but consider your firewall | |||||
| + interface: 0.0.0.0 | + interface: 0.0.0.0 | ||||
| + interface: ::0 | + interface: ::0 | ||||
| # enable this feature to copy the source address of queries to reply. | |||||
| # Socket options are not supported on all platforms. experimental. | |||||
| @@ -66,6 +68,7 @@ server: | |||||
| # port range that can be open simultaneously. About double the | |||||
| # num-queries-per-thread, or, use as many as the OS will allow you. | |||||
| # outgoing-range: 4096 | |||||
| + outgoing-range: 60 | |||||
| # permit unbound to use this port number or port range for | |||||
| # making outgoing queries, using an outgoing interface. | |||||
| @@ -82,9 +85,11 @@ server: | |||||
| # number of outgoing simultaneous tcp buffers to hold per thread. | |||||
| # outgoing-num-tcp: 10 | |||||
| + outgoing-num-tcp: 1 | |||||
| # number of incoming simultaneous tcp buffers to hold per thread. | |||||
| # incoming-num-tcp: 10 | |||||
| + access-control: 0.0.0.0/0 allow | |||||
| + access-control: ::0/0 allow | |||||
| + | |||||
| + # this limits TCP service but uses less buffers | |||||
| + outgoing-num-tcp: 1 | |||||
| + incoming-num-tcp: 1 | + incoming-num-tcp: 1 | ||||
| # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). | |||||
| # 0 is system default. Use 4m to catch query spikes for busy servers. | |||||
| @@ -118,18 +123,22 @@ server: | |||||
| # buffer size for handling DNS data. No messages larger than this | |||||
| # size can be sent or received, by UDP or TCP. In bytes. | |||||
| # msg-buffer-size: 65552 | |||||
| + | |||||
| + # use somewhat higher port numbers versus possible NAT issue | |||||
| + outgoing-port-permit: "10240-65335" | |||||
| + | |||||
| + # uses less memory, but less performance | |||||
| + outgoing-range: 60 | |||||
| + num-queries-per-thread: 30 | |||||
| + | |||||
| + # exclude large responses | |||||
| + msg-buffer-size: 8192 | + msg-buffer-size: 8192 | ||||
| # the amount of memory to use for the message cache. | |||||
| # plain value in bytes or you can append k, m or G. default is "4Mb". | |||||
| # msg-cache-size: 4m | |||||
| + | |||||
| + # tiny memory cache | |||||
| + infra-cache-numhosts: 200 | |||||
| + msg-cache-size: 100k | + msg-cache-size: 100k | ||||
| # the number of slabs to use for the message cache. | |||||
| # the number of slabs must be a power of 2. | |||||
| # more slabs reduce lock contention, but fragment memory usage. | |||||
| # msg-cache-slabs: 4 | |||||
| + msg-cache-slabs: 1 | |||||
| # the number of queries that a thread gets to service. | |||||
| # num-queries-per-thread: 1024 | |||||
| + num-queries-per-thread: 30 | |||||
| # if very busy, 50% queries run to completion, 50% get timeout in msec | |||||
| # jostle-timeout: 200 | |||||
| @@ -140,11 +149,13 @@ server: | |||||
| # the amount of memory to use for the RRset cache. | |||||
| # plain value in bytes or you can append k, m or G. default is "4Mb". | |||||
| # rrset-cache-size: 4m | |||||
| + rrset-cache-size: 100k | + rrset-cache-size: 100k | ||||
| # the number of slabs to use for the RRset cache. | |||||
| # the number of slabs must be a power of 2. | |||||
| # more slabs reduce lock contention, but fragment memory usage. | |||||
| # rrset-cache-slabs: 4 | |||||
| + rrset-cache-slabs: 1 | |||||
| # the time to live (TTL) value lower bound, in seconds. Default 0. | |||||
| # If more than an hour could easily give trouble due to stale data. | |||||
| @@ -168,9 +179,11 @@ server: | |||||
| # the number of slabs must be a power of 2. | |||||
| # more slabs reduce lock contention, but fragment memory usage. | |||||
| # infra-cache-slabs: 4 | |||||
| + infra-cache-slabs: 1 | |||||
| # the maximum number of hosts that are cached (roundtrip, EDNS, lame). | |||||
| # infra-cache-numhosts: 10000 | |||||
| + infra-cache-numhosts: 200 | |||||
| # define a number of tags here, use with local-zone, access-control. | |||||
| # repeat the define-tag statement to add additional tags. | |||||
| @@ -215,6 +228,8 @@ server: | |||||
| # access-control: ::0/0 refuse | |||||
| # access-control: ::1 allow | |||||
| # access-control: ::ffff:127.0.0.1 allow | |||||
| + access-control: 0.0.0.0/0 allow | |||||
| + access-control: ::0/0 allow | |||||
| # tag access-control with list of tags (in "" with spaces between) | |||||
| # Clients using this access control element use localzones that | |||||
| @@ -309,12 +324,15 @@ server: | |||||
| # positive value: fetch that many targets opportunistically. | |||||
| # Enclose the list of numbers between quotes (""). | |||||
| # target-fetch-policy: "3 2 1 0 0" | |||||
| + target-fetch-policy: "2 1 0 0 0 0" | |||||
| # Harden against very small EDNS buffer sizes. | |||||
| # harden-short-bufsize: no | |||||
| + harden-short-bufsize: yes | |||||
| # Harden against unseemly large queries. | |||||
| # harden-large-queries: no | |||||
| + harden-large-queries: yes | |||||
| # Harden against out of zone rrsets, to avoid spoofing attempts. | |||||
| # harden-glue: yes | |||||
| @@ -414,7 +432,7 @@ server: | |||||
| # you start unbound (i.e. in the system boot scripts). And enable: | |||||
| # Please note usage of unbound-anchor root anchor is at your own risk | |||||
| # and under the terms of our LICENSE (see that file in the source). | |||||
| - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" | |||||
| + auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" | |||||
| # File with DLV trusted keys. Same format as trust-anchor-file. | |||||
| # There can be only one DLV configured, it is trusted from root down. | |||||
| @@ -504,15 +522,18 @@ server: | |||||
| # the amount of memory to use for the key cache. | |||||
| # plain value in bytes or you can append k, m or G. default is "4Mb". | |||||
| # key-cache-size: 4m | |||||
| + key-cache-size: 100k | + key-cache-size: 100k | ||||
| # the number of slabs to use for the key cache. | |||||
| # the number of slabs must be a power of 2. | |||||
| # more slabs reduce lock contention, but fragment memory usage. | |||||
| # key-cache-slabs: 4 | |||||
| + key-cache-slabs: 1 | |||||
| # the amount of memory to use for the negative cache (used for DLV). | |||||
| # plain value in bytes or you can append k, m or G. default is "1Mb". | |||||
| # neg-cache-size: 1m | |||||
| + neg-cache-size: 10k | + neg-cache-size: 10k | ||||
| # By default, for a number of zones a small default 'nothing here' | |||||
| # reply is built-in. Query traffic is thus blocked. If you | |||||
| + | |||||
| + # gentle on recursion | |||||
| + target-fetch-policy: "2 1 0 0 0 0" | |||||
| + harden-large-queries: yes | |||||
| + harden-short-bufsize: yes | |||||
| + | |||||
| + # Enable a trust anchor and modules "validator iterator." However, Unbound | |||||
| + # RFC5011 "auto-trust-anchor-" activity can be busy and harmful to flash ROM. | |||||
| + # "/etc/unbound" (directory & files) needs chown for write access. Else, use | |||||
| + # plain "trust-anchor-" to treat the key file as static. | |||||
| + #module-config: "validator iterator" | |||||
| + #auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" | |||||
| + #trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" | |||||
| + | |||||
| + # DNSSEC needs real time to validate signatures. If your device does not | |||||
| + # have power off clock (reboot), then you may need this work around. | |||||
| + #domain-insecure: "pool.ntp.org" | |||||
| + | |||||
| +############################################################################## | |||||
| +# Resume Stock example.conf.in | |||||
| +############################################################################## | |||||
| + | |||||
| # print statistics to the log (for every thread) every N seconds. | |||||
| # Set to "" or 0 to disable. Default is disabled. | |||||
| # statistics-interval: 0 | |||||