diff --git a/net/unbound/Makefile b/net/unbound/Makefile index af52b51a8..8df91fc96 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.7.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index c4bf1b210..fe8305dce 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -204,7 +204,7 @@ config unbound into MTU issues. Use this size in bytes to manage drop outs. option extended_luci '0' - Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration. + Boolean. Extends a tab hierarchy in LuCI for advanced configuration. option extended_stats '0' Boolean. extended statistics are printed from unbound-control. @@ -227,10 +227,11 @@ config unbound option protocol 'mixed' Unbound can limit its protocol used for recursive queries. - Set 'ip4_only' to avoid issues if you do not have native IP6. - Set 'ip6_prefer' to possibly improve performance as well as - not consume NAT paths for the client computers. - Do not use 'ip6_only' unless testing. + ip4_only - limit issues if you do not have native IPv6 + ip6_only - test environment only; could cauase problems + ip6_prefer - both IPv4 and IPv6 but try IPv6 first + mixed - both IPv4 and IPv6 + default - Unbound built-in defaults option query_minimize '0' Boolean. Enable a minor privacy option. Don't let each server know @@ -257,15 +258,18 @@ config unbound 3 - Plus DHCP-PD range passed down interfaces (not implemented) option recursion 'passive' - Unbound has numerous options for how it recurses. This UCI combines - them into "passive," "aggressive," or Unbound's own "default." - Passive is easy on resources, but slower until cache fills. + Unbound has many options for recrusion but UCI is bundled for simplicity. + passive - slower until cache fills but kind on CPU load + default - Unbound built-in defaults + aggressive - uses prefetching to handle more requests quickly option resource 'small' - Unbound has numerous options for resources. This UCI gives "tiny," - "small," "medium," and "large." Medium is most like the compiled - defaults with a bit of balancing. Tiny is close to the published - memory restricted configuration. Small 1/2 medium, and large 2x. + Unbound has many options for resources but UCI is bundled for simplicity. + tiny - similar to published memory restricted configuration + small - about half of medium + medium - similar to default, but fixed for consistency + default - Unbound built-in defaults + large - about double of medium option root_age '9' Days. >90 Disables. Age limit for Unbound root data like root diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 002ce9fa4..696cb3753 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -449,7 +449,7 @@ unbound_mkdir() { cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "iterator will use built-in root hints" + logger -t unbound -s "default root hints (built in rootservers.net)" fi fi @@ -463,7 +463,7 @@ unbound_mkdir() { $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "validator will use built-in trust anchor" + logger -t unbound -s "default trust anchor (built in root DS record)" fi fi @@ -616,9 +616,13 @@ unbound_conf() { # Make fresh conf file echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo - # No threading echo "server:" echo " username: unbound" + echo " chroot: \"$UNBOUND_VARDIR\"" + echo " directory: \"$UNBOUND_VARDIR\"" + echo " pidfile: \"$UNBOUND_PIDFILE\"" + echo + # No threading echo " num-threads: 1" echo " msg-cache-slabs: 1" echo " rrset-cache-slabs: 1" @@ -632,6 +636,7 @@ unbound_conf() { echo " outgoing-interface: ::0" echo # Logging + echo " use-syslog: yes" echo " verbosity: 1" echo " statistics-interval: 0" echo " statistics-cumulative: no" @@ -677,12 +682,18 @@ unbound_conf() { } >> $UNBOUND_CONFFILE ;; - *) + mixed) { echo " do-ip4: yes" echo " do-ip6: yes" } >> $UNBOUND_CONFFILE ;; + + *) + if [ ! -f "$UNBOUND_TIMEFILE" ] ; then + logger -t unbound -s "default protocol configuration" + fi + ;; esac @@ -708,15 +719,6 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - { - # Default Files - echo " use-syslog: yes" - echo " chroot: \"$UNBOUND_VARDIR\"" - echo " directory: \"$UNBOUND_VARDIR\"" - echo " pidfile: \"$UNBOUND_PIDFILE\"" - } >> $UNBOUND_CONFFILE - - if [ -f "$UNBOUND_HINTFILE" ] ; then # Optional hints if found echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE @@ -764,7 +766,7 @@ unbound_conf() { } >> $UNBOUND_CONFFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "default memory resource consumption" + logger -t unbound -s "default memory configuration" fi # Assembly of module-config: options is tricky; order matters @@ -803,27 +805,26 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - { - # Some query privacy but "strict" will break some name servers - echo " qname-minimisation: yes" - echo " qname-minimisation-strict: yes" - } >> $UNBOUND_CONFFILE - - elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - # Minor improvement on query privacy - echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE - - else - echo " qname-minimisation: no" >> $UNBOUND_CONFFILE - fi - - case "$UNBOUND_D_RECURSION" in passive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: no" + fi + # On demand fetching echo " prefetch: no" - echo " prefetch-key: no" echo " target-fetch-policy: \"0 0 0 0 0\"" echo } >> $UNBOUND_CONFFILE @@ -831,8 +832,23 @@ unbound_conf() { aggressive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: yes" + fi + # Prefetch what can be echo " prefetch: yes" - echo " prefetch-key: yes" echo " target-fetch-policy: \"3 2 1 0 0\"" echo } >> $UNBOUND_CONFFILE diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 45034085a..2df2d6fa1 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -15,13 +15,13 @@ config unbound option listen_port '53' option localservice '1' option manual_conf '0' - option protocol 'mixed' + option protocol 'default' option query_minimize '0' option query_min_strict '0' option rebind_localhost '0' option rebind_protection '1' - option recursion 'passive' - option resource 'small' + option recursion 'default' + option resource 'default' option root_age '9' option ttl_min '120' option unbound_control '0'