Merge pull request #6145 from EricLuehrsen/unbound_defdoc

unbound: add root zone file cache option

net/unbound/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

net/unbound/files/README.md

@@ -204,7 +204,7 @@ config unbound
     into MTU issues. Use this size in bytes to manage drop outs.
 
   option extended_luci '0'
-    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+    Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
 
   option extended_stats '0'
     Boolean. extended statistics are printed from unbound-control.
@@ -225,12 +225,18 @@ config unbound
     Boolean. Skip all this UCI nonsense. Manually edit the
     configuration. Make changes to /etc/unbound/unbound.conf.
 
+  option prefetch_root '0'
+    Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
+    "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
+    servers using http or AXFR (gTLD are unfortunately not as public).
+
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
-    Set 'ip4_only' to avoid issues if you do not have native IP6.
-    Set 'ip6_prefer' to possibly improve performance as well as
-    not consume NAT paths for the client computers.
-    Do not use 'ip6_only' unless testing.
+    ip4_only - limit issues if you do not have native IPv6
+    ip6_only - test environment only; could cauase problems
+    ip6_prefer - both IPv4 and IPv6 but try IPv6 first
+    mixed - both IPv4 and IPv6
+    default - Unbound built-in defaults
 
   option query_minimize '0'
     Boolean. Enable a minor privacy option. Don't let each server know
@@ -257,15 +263,18 @@ config unbound
     3 - Plus DHCP-PD range passed down interfaces (not implemented)
 
   option recursion 'passive'
-    Unbound has numerous options for how it recurses. This UCI combines
-    them into "passive," "aggressive," or Unbound's own "default."
-    Passive is easy on resources, but slower until cache fills.
+    Unbound has many options for recrusion but UCI is bundled for simplicity.
+    passive - slower until cache fills but kind on CPU load
+    default - Unbound built-in defaults
+    aggressive - uses prefetching to handle more requests quickly
 
   option resource 'small'
-    Unbound has numerous options for resources. This UCI gives "tiny,"
-    "small," "medium," and "large." Medium is most like the compiled
-    defaults with a bit of balancing. Tiny is close to the published
-    memory restricted configuration. Small 1/2 medium, and large 2x.
+    Unbound has many options for resources but UCI is bundled for simplicity.
+    tiny - similar to published memory restricted configuration
+    small - about half of medium
+    medium - similar to default, but fixed for consistency
+    default - Unbound built-in defaults
+    large - about double of medium
 
   option root_age '9'
     Days. >90 Disables. Age limit for Unbound root data like root

net/unbound/files/unbound.sh

@@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0
+UNBOUND_B_AUTH_ROOT=0
 
 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
@@ -449,7 +450,7 @@ unbound_mkdir() {
       cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
     fi
   fi
 
@@ -463,7 +464,7 @@ unbound_mkdir() {
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
     fi
   fi
 
@@ -605,6 +606,45 @@ unbound_forward() {
 
 ##############################################################################
 
+unbound_auth_root() {
+  local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+  local httpserver="http://www.internic.net/domain/"
+  local authzones="root arpa in-addr.arpa ip6.arpa"
+  local server zone realzone
+  # Download or AXFR the root and arpa zones to reduce the work needed at
+  # top level of recursion. If your users will hit many ccTLD or you have
+  # tracking logs resolving many PTR, then this can speed things up.
+  # Total size of text in TMPFS could be about 5MB.
+
+
+  if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
+    for zone in $authzones ; do
+      if [ "$zone" = "root" ] ; then
+        realzone="."
+      else
+        realzone=$zone
+      fi
+
+
+      {
+        echo "auth-zone:"
+        echo "  name: \"$realzone\""
+        for server in $axfrservers ; do
+          echo "  master: \"$server\""
+        done
+        echo "  url: \"$httpserver$zone.zone\""
+        echo "  fallback-enabled: yes"
+        echo "  for-downstream: no"
+        echo "  for-upstream: yes"
+        echo "  zonefile: \"$zone.zone\""
+        echo
+      } >> $UNBOUND_CONFFILE
+    done
+  fi
+}
+
+##############################################################################
+
 unbound_conf() {
   local rt_mem rt_conn modulestring domain ifsubnet
 
@@ -616,9 +656,13 @@ unbound_conf() {
     # Make fresh conf file
     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
     echo
-    # No threading
     echo "server:"
     echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
     echo "  num-threads: 1"
     echo "  msg-cache-slabs: 1"
     echo "  rrset-cache-slabs: 1"
@@ -632,6 +676,7 @@ unbound_conf() {
     echo "  outgoing-interface: ::0"
     echo
     # Logging
+    echo "  use-syslog: yes"
     echo "  verbosity: 1"
     echo "  statistics-interval: 0"
     echo "  statistics-cumulative: no"
@@ -677,12 +722,18 @@ unbound_conf() {
       } >> $UNBOUND_CONFFILE
       ;;
 
-    *)
+    mixed)
       {
         echo "  do-ip4: yes"
         echo "  do-ip6: yes"
       } >> $UNBOUND_CONFFILE
       ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
   esac
 
 
@@ -708,15 +759,6 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
   if [ -f "$UNBOUND_HINTFILE" ] ; then
     # Optional hints if found
     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +806,7 @@ unbound_conf() {
     } >> $UNBOUND_CONFFILE
 
   elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
   fi
 
   # Assembly of module-config: options is tricky; order matters
@@ -803,27 +845,26 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
   case "$UNBOUND_D_RECURSION" in
     passive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: no"
+        fi
+        # On demand fetching
         echo "  prefetch: no"
-        echo "  prefetch-key: no"
         echo "  target-fetch-policy: \"0 0 0 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -831,8 +872,23 @@ unbound_conf() {
 
     aggressive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
         echo "  prefetch: yes"
-        echo "  prefetch-key: yes"
         echo "  target-fetch-policy: \"3 2 1 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -1070,6 +1126,7 @@ unbound_uci() {
   config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
   config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
   config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
+  config_get_bool UNBOUND_B_AUTH_ROOT  "$cfg" prefetch_root 0
   config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
   config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
   config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
@@ -1165,7 +1222,7 @@ unbound_uci() {
 
 ##############################################################################
 
-_resolv_setup() {
+unbound_resolv_setup() {
   if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
     return
   fi
@@ -1194,7 +1251,7 @@ _resolv_setup() {
 
 ##############################################################################
 
-_resolv_teardown() {
+unbound_resolv_teardown() {
   case $( cat /tmp/resolv.conf ) in
   *"generated by Unbound UCI"*)
     # our resolver file, reset to auto resolver file.
@@ -1209,8 +1266,6 @@ _resolv_teardown() {
 unbound_start() {
   config_load unbound
   config_foreach unbound_uci unbound
-
-
   unbound_mkdir
 
 
@@ -1229,19 +1284,18 @@ unbound_start() {
 
 
     unbound_forward
+    unbound_auth_root
     unbound_control
   fi
 
 
-  _resolv_setup
+  unbound_resolv_setup
 }
 
 ##############################################################################
 
 unbound_stop() {
-  _resolv_teardown
-
-
+  unbound_resolv_teardown
   rootzone_update
 }
 

net/unbound/files/unbound.uci

@@ -15,13 +15,14 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
-	option protocol 'mixed'
+	option prefetch_root '0'
+	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
-	option recursion 'passive'
-	option resource 'small'
+	option recursion 'default'
+	option resource 'default'
 	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'