From cdeefec73e9e70a7180c9fb5a337bdefbe34e5b1 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 28 May 2018 12:50:14 -0400 Subject: [PATCH] unbound: provide transparent defaults with documentation Some resource options bundled many Unbound.conf options and made customizing on top of UCI difficult. Make it easier to use Unbound built defaults (blank conf sections). Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 28 ++++++------ net/unbound/files/unbound.sh | 80 +++++++++++++++++++++-------------- net/unbound/files/unbound.uci | 6 +-- 4 files changed, 68 insertions(+), 48 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index af52b51a8..8df91fc96 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.7.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index c4bf1b210..fe8305dce 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -204,7 +204,7 @@ config unbound into MTU issues. Use this size in bytes to manage drop outs. option extended_luci '0' - Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration. + Boolean. Extends a tab hierarchy in LuCI for advanced configuration. option extended_stats '0' Boolean. extended statistics are printed from unbound-control. @@ -227,10 +227,11 @@ config unbound option protocol 'mixed' Unbound can limit its protocol used for recursive queries. - Set 'ip4_only' to avoid issues if you do not have native IP6. - Set 'ip6_prefer' to possibly improve performance as well as - not consume NAT paths for the client computers. - Do not use 'ip6_only' unless testing. + ip4_only - limit issues if you do not have native IPv6 + ip6_only - test environment only; could cauase problems + ip6_prefer - both IPv4 and IPv6 but try IPv6 first + mixed - both IPv4 and IPv6 + default - Unbound built-in defaults option query_minimize '0' Boolean. Enable a minor privacy option. Don't let each server know @@ -257,15 +258,18 @@ config unbound 3 - Plus DHCP-PD range passed down interfaces (not implemented) option recursion 'passive' - Unbound has numerous options for how it recurses. This UCI combines - them into "passive," "aggressive," or Unbound's own "default." - Passive is easy on resources, but slower until cache fills. + Unbound has many options for recrusion but UCI is bundled for simplicity. + passive - slower until cache fills but kind on CPU load + default - Unbound built-in defaults + aggressive - uses prefetching to handle more requests quickly option resource 'small' - Unbound has numerous options for resources. This UCI gives "tiny," - "small," "medium," and "large." Medium is most like the compiled - defaults with a bit of balancing. Tiny is close to the published - memory restricted configuration. Small 1/2 medium, and large 2x. + Unbound has many options for resources but UCI is bundled for simplicity. + tiny - similar to published memory restricted configuration + small - about half of medium + medium - similar to default, but fixed for consistency + default - Unbound built-in defaults + large - about double of medium option root_age '9' Days. >90 Disables. Age limit for Unbound root data like root diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 002ce9fa4..696cb3753 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -449,7 +449,7 @@ unbound_mkdir() { cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "iterator will use built-in root hints" + logger -t unbound -s "default root hints (built in rootservers.net)" fi fi @@ -463,7 +463,7 @@ unbound_mkdir() { $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "validator will use built-in trust anchor" + logger -t unbound -s "default trust anchor (built in root DS record)" fi fi @@ -616,9 +616,13 @@ unbound_conf() { # Make fresh conf file echo "# $UNBOUND_CONFFILE generated by UCI $( date )" echo - # No threading echo "server:" echo " username: unbound" + echo " chroot: \"$UNBOUND_VARDIR\"" + echo " directory: \"$UNBOUND_VARDIR\"" + echo " pidfile: \"$UNBOUND_PIDFILE\"" + echo + # No threading echo " num-threads: 1" echo " msg-cache-slabs: 1" echo " rrset-cache-slabs: 1" @@ -632,6 +636,7 @@ unbound_conf() { echo " outgoing-interface: ::0" echo # Logging + echo " use-syslog: yes" echo " verbosity: 1" echo " statistics-interval: 0" echo " statistics-cumulative: no" @@ -677,12 +682,18 @@ unbound_conf() { } >> $UNBOUND_CONFFILE ;; - *) + mixed) { echo " do-ip4: yes" echo " do-ip6: yes" } >> $UNBOUND_CONFFILE ;; + + *) + if [ ! -f "$UNBOUND_TIMEFILE" ] ; then + logger -t unbound -s "default protocol configuration" + fi + ;; esac @@ -708,15 +719,6 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - { - # Default Files - echo " use-syslog: yes" - echo " chroot: \"$UNBOUND_VARDIR\"" - echo " directory: \"$UNBOUND_VARDIR\"" - echo " pidfile: \"$UNBOUND_PIDFILE\"" - } >> $UNBOUND_CONFFILE - - if [ -f "$UNBOUND_HINTFILE" ] ; then # Optional hints if found echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE @@ -764,7 +766,7 @@ unbound_conf() { } >> $UNBOUND_CONFFILE elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then - logger -t unbound -s "default memory resource consumption" + logger -t unbound -s "default memory configuration" fi # Assembly of module-config: options is tricky; order matters @@ -803,27 +805,26 @@ unbound_conf() { } >> $UNBOUND_CONFFILE - if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - { - # Some query privacy but "strict" will break some name servers - echo " qname-minimisation: yes" - echo " qname-minimisation-strict: yes" - } >> $UNBOUND_CONFFILE - - elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then - # Minor improvement on query privacy - echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE - - else - echo " qname-minimisation: no" >> $UNBOUND_CONFFILE - fi - - case "$UNBOUND_D_RECURSION" in passive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: no" + fi + # On demand fetching echo " prefetch: no" - echo " prefetch-key: no" echo " target-fetch-policy: \"0 0 0 0 0\"" echo } >> $UNBOUND_CONFFILE @@ -831,8 +832,23 @@ unbound_conf() { aggressive) { + # Some query privacy but "strict" will break some servers + if [ "$UNBOUND_B_QRY_MINST" -gt 0 \ + -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + echo " qname-minimisation-strict: yes" + elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then + echo " qname-minimisation: yes" + else + echo " qname-minimisation: no" + fi + # Use DNSSEC to quickly understand NXDOMAIN ranges + if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then + echo " aggressive-nsec: yes" + echo " prefetch-key: yes" + fi + # Prefetch what can be echo " prefetch: yes" - echo " prefetch-key: yes" echo " target-fetch-policy: \"3 2 1 0 0\"" echo } >> $UNBOUND_CONFFILE diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 45034085a..2df2d6fa1 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -15,13 +15,13 @@ config unbound option listen_port '53' option localservice '1' option manual_conf '0' - option protocol 'mixed' + option protocol 'default' option query_minimize '0' option query_min_strict '0' option rebind_localhost '0' option rebind_protection '1' - option recursion 'passive' - option resource 'small' + option recursion 'default' + option resource 'default' option root_age '9' option ttl_min '120' option unbound_control '0'