Browse Source

Merge pull request #6145 from EricLuehrsen/unbound_defdoc

unbound: add root zone file cache option
lilik-openwrt-22.03
Hannu Nyman 7 years ago
committed by GitHub
parent
commit
d7ffa9ca0e
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 120 additions and 56 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +21
    -12
      net/unbound/files/README.md
  3. +94
    -40
      net/unbound/files/unbound.sh
  4. +4
    -3
      net/unbound/files/unbound.uci

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.7.1
PKG_RELEASE:=1
PKG_RELEASE:=3
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE


+ 21
- 12
net/unbound/files/README.md View File

@ -204,7 +204,7 @@ config unbound
into MTU issues. Use this size in bytes to manage drop outs.
option extended_luci '0'
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
option extended_stats '0'
Boolean. extended statistics are printed from unbound-control.
@ -225,12 +225,18 @@ config unbound
Boolean. Skip all this UCI nonsense. Manually edit the
configuration. Make changes to /etc/unbound/unbound.conf.
option prefetch_root '0'
Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
"in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
servers using http or AXFR (gTLD are unfortunately not as public).
option protocol 'mixed'
Unbound can limit its protocol used for recursive queries.
Set 'ip4_only' to avoid issues if you do not have native IP6.
Set 'ip6_prefer' to possibly improve performance as well as
not consume NAT paths for the client computers.
Do not use 'ip6_only' unless testing.
ip4_only - limit issues if you do not have native IPv6
ip6_only - test environment only; could cauase problems
ip6_prefer - both IPv4 and IPv6 but try IPv6 first
mixed - both IPv4 and IPv6
default - Unbound built-in defaults
option query_minimize '0'
Boolean. Enable a minor privacy option. Don't let each server know
@ -257,15 +263,18 @@ config unbound
3 - Plus DHCP-PD range passed down interfaces (not implemented)
option recursion 'passive'
Unbound has numerous options for how it recurses. This UCI combines
them into "passive," "aggressive," or Unbound's own "default."
Passive is easy on resources, but slower until cache fills.
Unbound has many options for recrusion but UCI is bundled for simplicity.
passive - slower until cache fills but kind on CPU load
default - Unbound built-in defaults
aggressive - uses prefetching to handle more requests quickly
option resource 'small'
Unbound has numerous options for resources. This UCI gives "tiny,"
"small," "medium," and "large." Medium is most like the compiled
defaults with a bit of balancing. Tiny is close to the published
memory restricted configuration. Small 1/2 medium, and large 2x.
Unbound has many options for resources but UCI is bundled for simplicity.
tiny - similar to published memory restricted configuration
small - about half of medium
medium - similar to default, but fixed for consistency
default - Unbound built-in defaults
large - about double of medium
option root_age '9'
Days. >90 Disables. Age limit for Unbound root data like root


+ 94
- 40
net/unbound/files/unbound.sh View File

@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
UNBOUND_B_AUTH_ROOT=0
UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static
@ -449,7 +450,7 @@ unbound_mkdir() {
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "iterator will use built-in root hints"
logger -t unbound -s "default root hints (built in rootservers.net)"
fi
fi
@ -463,7 +464,7 @@ unbound_mkdir() {
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "validator will use built-in trust anchor"
logger -t unbound -s "default trust anchor (built in root DS record)"
fi
fi
@ -605,6 +606,45 @@ unbound_forward() {
##############################################################################
unbound_auth_root() {
local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
local httpserver="http://www.internic.net/domain/"
local authzones="root arpa in-addr.arpa ip6.arpa"
local server zone realzone
# Download or AXFR the root and arpa zones to reduce the work needed at
# top level of recursion. If your users will hit many ccTLD or you have
# tracking logs resolving many PTR, then this can speed things up.
# Total size of text in TMPFS could be about 5MB.
if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
for zone in $authzones ; do
if [ "$zone" = "root" ] ; then
realzone="."
else
realzone=$zone
fi
{
echo "auth-zone:"
echo " name: \"$realzone\""
for server in $axfrservers ; do
echo " master: \"$server\""
done
echo " url: \"$httpserver$zone.zone\""
echo " fallback-enabled: yes"
echo " for-downstream: no"
echo " for-upstream: yes"
echo " zonefile: \"$zone.zone\""
echo
} >> $UNBOUND_CONFFILE
done
fi
}
##############################################################################
unbound_conf() {
local rt_mem rt_conn modulestring domain ifsubnet
@ -616,9 +656,13 @@ unbound_conf() {
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
# No threading
echo "server:"
echo " username: unbound"
echo " chroot: \"$UNBOUND_VARDIR\""
echo " directory: \"$UNBOUND_VARDIR\""
echo " pidfile: \"$UNBOUND_PIDFILE\""
echo
# No threading
echo " num-threads: 1"
echo " msg-cache-slabs: 1"
echo " rrset-cache-slabs: 1"
@ -632,6 +676,7 @@ unbound_conf() {
echo " outgoing-interface: ::0"
echo
# Logging
echo " use-syslog: yes"
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
@ -677,12 +722,18 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE
;;
*)
mixed)
{
echo " do-ip4: yes"
echo " do-ip6: yes"
} >> $UNBOUND_CONFFILE
;;
*)
if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "default protocol configuration"
fi
;;
esac
@ -708,15 +759,6 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE
{
# Default Files
echo " use-syslog: yes"
echo " chroot: \"$UNBOUND_VARDIR\""
echo " directory: \"$UNBOUND_VARDIR\""
echo " pidfile: \"$UNBOUND_PIDFILE\""
} >> $UNBOUND_CONFFILE
if [ -f "$UNBOUND_HINTFILE" ] ; then
# Optional hints if found
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@ -764,7 +806,7 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
logger -t unbound -s "default memory resource consumption"
logger -t unbound -s "default memory configuration"
fi
# Assembly of module-config: options is tricky; order matters
@ -803,27 +845,26 @@ unbound_conf() {
} >> $UNBOUND_CONFFILE
if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
{
# Some query privacy but "strict" will break some name servers
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
} >> $UNBOUND_CONFFILE
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
# Minor improvement on query privacy
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
else
echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
fi
case "$UNBOUND_D_RECURSION" in
passive)
{
# Some query privacy but "strict" will break some servers
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: no"
fi
# On demand fetching
echo " prefetch: no"
echo " prefetch-key: no"
echo " target-fetch-policy: \"0 0 0 0 0\""
echo
} >> $UNBOUND_CONFFILE
@ -831,8 +872,23 @@ unbound_conf() {
aggressive)
{
# Some query privacy but "strict" will break some servers
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
echo " qname-minimisation-strict: yes"
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
echo " qname-minimisation: yes"
else
echo " qname-minimisation: no"
fi
# Use DNSSEC to quickly understand NXDOMAIN ranges
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
echo " aggressive-nsec: yes"
echo " prefetch-key: yes"
fi
# Prefetch what can be
echo " prefetch: yes"
echo " prefetch-key: yes"
echo " target-fetch-policy: \"3 2 1 0 0\""
echo
} >> $UNBOUND_CONFFILE
@ -1070,6 +1126,7 @@ unbound_uci() {
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
@ -1165,7 +1222,7 @@ unbound_uci() {
##############################################################################
_resolv_setup() {
unbound_resolv_setup() {
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
return
fi
@ -1194,7 +1251,7 @@ _resolv_setup() {
##############################################################################
_resolv_teardown() {
unbound_resolv_teardown() {
case $( cat /tmp/resolv.conf ) in
*"generated by Unbound UCI"*)
# our resolver file, reset to auto resolver file.
@ -1209,8 +1266,6 @@ _resolv_teardown() {
unbound_start() {
config_load unbound
config_foreach unbound_uci unbound
unbound_mkdir
@ -1229,19 +1284,18 @@ unbound_start() {
unbound_forward
unbound_auth_root
unbound_control
fi
_resolv_setup
unbound_resolv_setup
}
##############################################################################
unbound_stop() {
_resolv_teardown
unbound_resolv_teardown
rootzone_update
}


+ 4
- 3
net/unbound/files/unbound.uci View File

@ -15,13 +15,14 @@ config unbound
option listen_port '53'
option localservice '1'
option manual_conf '0'
option protocol 'mixed'
option prefetch_root '0'
option protocol 'default'
option query_minimize '0'
option query_min_strict '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'passive'
option resource 'small'
option recursion 'default'
option resource 'default'
option root_age '9'
option ttl_min '120'
option unbound_control '0'


Loading…
Cancel
Save