unbound: provide transparent defaults with documentation

Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

net/unbound/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

net/unbound/files/README.md

@@ -204,7 +204,7 @@ config unbound
     into MTU issues. Use this size in bytes to manage drop outs.
 
   option extended_luci '0'
-    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+    Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
 
   option extended_stats '0'
     Boolean. extended statistics are printed from unbound-control.
@@ -227,10 +227,11 @@ config unbound
 
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
-    Set 'ip4_only' to avoid issues if you do not have native IP6.
-    Set 'ip6_prefer' to possibly improve performance as well as
-    not consume NAT paths for the client computers.
-    Do not use 'ip6_only' unless testing.
+    ip4_only - limit issues if you do not have native IPv6
+    ip6_only - test environment only; could cauase problems
+    ip6_prefer - both IPv4 and IPv6 but try IPv6 first
+    mixed - both IPv4 and IPv6
+    default - Unbound built-in defaults
 
   option query_minimize '0'
     Boolean. Enable a minor privacy option. Don't let each server know
@@ -257,15 +258,18 @@ config unbound
     3 - Plus DHCP-PD range passed down interfaces (not implemented)
 
   option recursion 'passive'
-    Unbound has numerous options for how it recurses. This UCI combines
-    them into "passive," "aggressive," or Unbound's own "default."
-    Passive is easy on resources, but slower until cache fills.
+    Unbound has many options for recrusion but UCI is bundled for simplicity.
+    passive - slower until cache fills but kind on CPU load
+    default - Unbound built-in defaults
+    aggressive - uses prefetching to handle more requests quickly
 
   option resource 'small'
-    Unbound has numerous options for resources. This UCI gives "tiny,"
-    "small," "medium," and "large." Medium is most like the compiled
-    defaults with a bit of balancing. Tiny is close to the published
-    memory restricted configuration. Small 1/2 medium, and large 2x.
+    Unbound has many options for resources but UCI is bundled for simplicity.
+    tiny - similar to published memory restricted configuration
+    small - about half of medium
+    medium - similar to default, but fixed for consistency
+    default - Unbound built-in defaults
+    large - about double of medium
 
   option root_age '9'
     Days. >90 Disables. Age limit for Unbound root data like root

net/unbound/files/unbound.sh

@@ -449,7 +449,7 @@ unbound_mkdir() {
       cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
     fi
   fi
 
@@ -463,7 +463,7 @@ unbound_mkdir() {
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
     fi
   fi
 
@@ -616,9 +616,13 @@ unbound_conf() {
     # Make fresh conf file
     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
     echo
-    # No threading
     echo "server:"
     echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
     echo "  num-threads: 1"
     echo "  msg-cache-slabs: 1"
     echo "  rrset-cache-slabs: 1"
@@ -632,6 +636,7 @@ unbound_conf() {
     echo "  outgoing-interface: ::0"
     echo
     # Logging
+    echo "  use-syslog: yes"
     echo "  verbosity: 1"
     echo "  statistics-interval: 0"
     echo "  statistics-cumulative: no"
@@ -677,12 +682,18 @@ unbound_conf() {
       } >> $UNBOUND_CONFFILE
       ;;
 
-    *)
+    mixed)
       {
         echo "  do-ip4: yes"
         echo "  do-ip6: yes"
       } >> $UNBOUND_CONFFILE
       ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
   esac
 
 
@@ -708,15 +719,6 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
   if [ -f "$UNBOUND_HINTFILE" ] ; then
     # Optional hints if found
     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +766,7 @@ unbound_conf() {
     } >> $UNBOUND_CONFFILE
 
   elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
   fi
 
   # Assembly of module-config: options is tricky; order matters
@@ -803,27 +805,26 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
   case "$UNBOUND_D_RECURSION" in
     passive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: no"
+        fi
+        # On demand fetching
         echo "  prefetch: no"
-        echo "  prefetch-key: no"
         echo "  target-fetch-policy: \"0 0 0 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -831,8 +832,23 @@ unbound_conf() {
 
     aggressive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
         echo "  prefetch: yes"
-        echo "  prefetch-key: yes"
         echo "  target-fetch-policy: \"3 2 1 0 0\""
         echo
       } >> $UNBOUND_CONFFILE

net/unbound/files/unbound.uci

@@ -15,13 +15,13 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
-	option protocol 'mixed'
+	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
-	option recursion 'passive'
-	option resource 'small'
+	option recursion 'default'
+	option resource 'default'
 	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'