-dnsmasq really provides nice local DHCP-DNS records
-Unbound host records would be clumsy to update
-Unbound can be configured to forward to dnsmasq
-iptools provided to facilitate PTR records
-flexible ipv6 colon notation is a bit complex
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-DNSSEC needs time, time needs ntp, or power off RTC
-Many consumer routers are cost thrifted without RTC
-Conf "val-override-date: -1" disables time inside DNSSEC
-Need restart as option is not dynamically switchable
-hotplug/ntp is used to set file /var/lib/unbound/unbound.time
-UCI will add or remove option depending on flag-like-file
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-Patch for /etc/unbound/unbound.conf
--All work done in /var/lib/unbound/
--chroot or jail to /var/lib/unbound/
-Init script points to /usr/lib/unbound.sh
-Makefile to install new scripts in the package
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-Unbound RFC 5011 is busy and writes frequently
-RFC 5011 creates working files in same directory
-DNSSEC root.key managed in /var/lib/unbound
-Protect against flash ROM wear out in /etc/unbound
-Scripts will copy back every 7 days instead
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-Rebind to new interfaces cleanly
-Detach from old interfaces cleanly
-Some conf options do not reload dynamically
-Unbound grows some and this will shrink it
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
-Remove interlaced configuration changes
--Less sensitive to upstream example.conf changes
--Easier to read patch-of-patch work for maintenance
-Use MEMORY CONTROL EXAMPLE from http://unbound.net/
--Review and rework with respect to previous pacakge
--Effectively the same configuration as previous package
-Disable DNSSEC by default due to real-time chicken-n-egg
--Many OpenWrt target devices have no power-off clock (reboot)
--User choice of work around should be conscious
--Initial install should not fail reboot with DNSSEC default
-Add some defaults explicitly to prevent surprises
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Until now unbound was always running as root by default. A DNS resolver can
easily run under a non-privileged user.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
The commands aliased by $(INSTALL_BIN) and $(INSTALL_DATA) set good
permissions, unlike a raw file copy.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
The custom list of DNS root servers provided with the package is not necessary.
Unbound ships with a built-in list.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>
This patch enables support for validating ECDSA signatures, which
are being deployed more and more in DNSSEC.
Proper validating can be tested by observing the AD flag in following
query (courtesy of Olafur Gudmundsson, CloudFlare):
$ dig ds-4.alg-14-nsec.dnssec-test.org
Signed-off-by: Ondřej Caletka <ondrej@caletka.cz>
This is an import of the net/unbound package from Subversion
revision 40658 (May 2, 2014). The only change is the addition of
PKG_LICENSE, PKG_LICENSE_FILE and PKG_MAINTAINER to Makefile.
Unbound 1.4.22 is the current upstream release.
Signed-off-by: Michael Hanselmann <public@hansmi.ch>