mirror of
https://git.openwrt.org/feed/packages.git
synced 2024-06-26 09:37:44 +02:00
Merge pull request #6145 from EricLuehrsen/unbound_defdoc
unbound: add root zone file cache option
This commit is contained in:
commit
d7ffa9ca0e
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=unbound
|
||||
PKG_VERSION:=1.7.1
|
||||
PKG_RELEASE:=1
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_LICENSE:=BSD-3-Clause
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
|
|
@ -204,7 +204,7 @@ config unbound
|
|||
into MTU issues. Use this size in bytes to manage drop outs.
|
||||
|
||||
option extended_luci '0'
|
||||
Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
|
||||
Boolean. Extends a tab hierarchy in LuCI for advanced configuration.
|
||||
|
||||
option extended_stats '0'
|
||||
Boolean. extended statistics are printed from unbound-control.
|
||||
|
@ -225,12 +225,18 @@ config unbound
|
|||
Boolean. Skip all this UCI nonsense. Manually edit the
|
||||
configuration. Make changes to /etc/unbound/unbound.conf.
|
||||
|
||||
option prefetch_root '0'
|
||||
Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
|
||||
"in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
|
||||
servers using http or AXFR (gTLD are unfortunately not as public).
|
||||
|
||||
option protocol 'mixed'
|
||||
Unbound can limit its protocol used for recursive queries.
|
||||
Set 'ip4_only' to avoid issues if you do not have native IP6.
|
||||
Set 'ip6_prefer' to possibly improve performance as well as
|
||||
not consume NAT paths for the client computers.
|
||||
Do not use 'ip6_only' unless testing.
|
||||
ip4_only - limit issues if you do not have native IPv6
|
||||
ip6_only - test environment only; could cauase problems
|
||||
ip6_prefer - both IPv4 and IPv6 but try IPv6 first
|
||||
mixed - both IPv4 and IPv6
|
||||
default - Unbound built-in defaults
|
||||
|
||||
option query_minimize '0'
|
||||
Boolean. Enable a minor privacy option. Don't let each server know
|
||||
|
@ -257,15 +263,18 @@ config unbound
|
|||
3 - Plus DHCP-PD range passed down interfaces (not implemented)
|
||||
|
||||
option recursion 'passive'
|
||||
Unbound has numerous options for how it recurses. This UCI combines
|
||||
them into "passive," "aggressive," or Unbound's own "default."
|
||||
Passive is easy on resources, but slower until cache fills.
|
||||
Unbound has many options for recrusion but UCI is bundled for simplicity.
|
||||
passive - slower until cache fills but kind on CPU load
|
||||
default - Unbound built-in defaults
|
||||
aggressive - uses prefetching to handle more requests quickly
|
||||
|
||||
option resource 'small'
|
||||
Unbound has numerous options for resources. This UCI gives "tiny,"
|
||||
"small," "medium," and "large." Medium is most like the compiled
|
||||
defaults with a bit of balancing. Tiny is close to the published
|
||||
memory restricted configuration. Small 1/2 medium, and large 2x.
|
||||
Unbound has many options for resources but UCI is bundled for simplicity.
|
||||
tiny - similar to published memory restricted configuration
|
||||
small - about half of medium
|
||||
medium - similar to default, but fixed for consistency
|
||||
default - Unbound built-in defaults
|
||||
large - about double of medium
|
||||
|
||||
option root_age '9'
|
||||
Days. >90 Disables. Age limit for Unbound root data like root
|
||||
|
|
|
@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
|
|||
UNBOUND_B_NTP_BOOT=1
|
||||
UNBOUND_B_QUERY_MIN=0
|
||||
UNBOUND_B_QRY_MINST=0
|
||||
UNBOUND_B_AUTH_ROOT=0
|
||||
|
||||
UNBOUND_D_CONTROL=0
|
||||
UNBOUND_D_DOMAIN_TYPE=static
|
||||
|
@ -449,7 +450,7 @@ unbound_mkdir() {
|
|||
cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
|
||||
|
||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||
logger -t unbound -s "iterator will use built-in root hints"
|
||||
logger -t unbound -s "default root hints (built in rootservers.net)"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -463,7 +464,7 @@ unbound_mkdir() {
|
|||
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
|
||||
|
||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||
logger -t unbound -s "validator will use built-in trust anchor"
|
||||
logger -t unbound -s "default trust anchor (built in root DS record)"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
@ -605,6 +606,45 @@ unbound_forward() {
|
|||
|
||||
##############################################################################
|
||||
|
||||
unbound_auth_root() {
|
||||
local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
|
||||
local httpserver="http://www.internic.net/domain/"
|
||||
local authzones="root arpa in-addr.arpa ip6.arpa"
|
||||
local server zone realzone
|
||||
# Download or AXFR the root and arpa zones to reduce the work needed at
|
||||
# top level of recursion. If your users will hit many ccTLD or you have
|
||||
# tracking logs resolving many PTR, then this can speed things up.
|
||||
# Total size of text in TMPFS could be about 5MB.
|
||||
|
||||
|
||||
if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
|
||||
for zone in $authzones ; do
|
||||
if [ "$zone" = "root" ] ; then
|
||||
realzone="."
|
||||
else
|
||||
realzone=$zone
|
||||
fi
|
||||
|
||||
|
||||
{
|
||||
echo "auth-zone:"
|
||||
echo " name: \"$realzone\""
|
||||
for server in $axfrservers ; do
|
||||
echo " master: \"$server\""
|
||||
done
|
||||
echo " url: \"$httpserver$zone.zone\""
|
||||
echo " fallback-enabled: yes"
|
||||
echo " for-downstream: no"
|
||||
echo " for-upstream: yes"
|
||||
echo " zonefile: \"$zone.zone\""
|
||||
echo
|
||||
} >> $UNBOUND_CONFFILE
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
|
||||
unbound_conf() {
|
||||
local rt_mem rt_conn modulestring domain ifsubnet
|
||||
|
||||
|
@ -616,9 +656,13 @@ unbound_conf() {
|
|||
# Make fresh conf file
|
||||
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
|
||||
echo
|
||||
# No threading
|
||||
echo "server:"
|
||||
echo " username: unbound"
|
||||
echo " chroot: \"$UNBOUND_VARDIR\""
|
||||
echo " directory: \"$UNBOUND_VARDIR\""
|
||||
echo " pidfile: \"$UNBOUND_PIDFILE\""
|
||||
echo
|
||||
# No threading
|
||||
echo " num-threads: 1"
|
||||
echo " msg-cache-slabs: 1"
|
||||
echo " rrset-cache-slabs: 1"
|
||||
|
@ -632,6 +676,7 @@ unbound_conf() {
|
|||
echo " outgoing-interface: ::0"
|
||||
echo
|
||||
# Logging
|
||||
echo " use-syslog: yes"
|
||||
echo " verbosity: 1"
|
||||
echo " statistics-interval: 0"
|
||||
echo " statistics-cumulative: no"
|
||||
|
@ -677,12 +722,18 @@ unbound_conf() {
|
|||
} >> $UNBOUND_CONFFILE
|
||||
;;
|
||||
|
||||
*)
|
||||
mixed)
|
||||
{
|
||||
echo " do-ip4: yes"
|
||||
echo " do-ip6: yes"
|
||||
} >> $UNBOUND_CONFFILE
|
||||
;;
|
||||
|
||||
*)
|
||||
if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||
logger -t unbound -s "default protocol configuration"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
|
||||
|
@ -708,15 +759,6 @@ unbound_conf() {
|
|||
} >> $UNBOUND_CONFFILE
|
||||
|
||||
|
||||
{
|
||||
# Default Files
|
||||
echo " use-syslog: yes"
|
||||
echo " chroot: \"$UNBOUND_VARDIR\""
|
||||
echo " directory: \"$UNBOUND_VARDIR\""
|
||||
echo " pidfile: \"$UNBOUND_PIDFILE\""
|
||||
} >> $UNBOUND_CONFFILE
|
||||
|
||||
|
||||
if [ -f "$UNBOUND_HINTFILE" ] ; then
|
||||
# Optional hints if found
|
||||
echo " root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
|
||||
|
@ -764,7 +806,7 @@ unbound_conf() {
|
|||
} >> $UNBOUND_CONFFILE
|
||||
|
||||
elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
|
||||
logger -t unbound -s "default memory resource consumption"
|
||||
logger -t unbound -s "default memory configuration"
|
||||
fi
|
||||
|
||||
# Assembly of module-config: options is tricky; order matters
|
||||
|
@ -803,27 +845,26 @@ unbound_conf() {
|
|||
} >> $UNBOUND_CONFFILE
|
||||
|
||||
|
||||
if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
{
|
||||
# Some query privacy but "strict" will break some name servers
|
||||
echo " qname-minimisation: yes"
|
||||
echo " qname-minimisation-strict: yes"
|
||||
} >> $UNBOUND_CONFFILE
|
||||
|
||||
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
# Minor improvement on query privacy
|
||||
echo " qname-minimisation: yes" >> $UNBOUND_CONFFILE
|
||||
|
||||
else
|
||||
echo " qname-minimisation: no" >> $UNBOUND_CONFFILE
|
||||
fi
|
||||
|
||||
|
||||
case "$UNBOUND_D_RECURSION" in
|
||||
passive)
|
||||
{
|
||||
# Some query privacy but "strict" will break some servers
|
||||
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
|
||||
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
echo " qname-minimisation: yes"
|
||||
echo " qname-minimisation-strict: yes"
|
||||
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
echo " qname-minimisation: yes"
|
||||
else
|
||||
echo " qname-minimisation: no"
|
||||
fi
|
||||
# Use DNSSEC to quickly understand NXDOMAIN ranges
|
||||
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
|
||||
echo " aggressive-nsec: yes"
|
||||
echo " prefetch-key: no"
|
||||
fi
|
||||
# On demand fetching
|
||||
echo " prefetch: no"
|
||||
echo " prefetch-key: no"
|
||||
echo " target-fetch-policy: \"0 0 0 0 0\""
|
||||
echo
|
||||
} >> $UNBOUND_CONFFILE
|
||||
|
@ -831,8 +872,23 @@ unbound_conf() {
|
|||
|
||||
aggressive)
|
||||
{
|
||||
# Some query privacy but "strict" will break some servers
|
||||
if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
|
||||
-a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
echo " qname-minimisation: yes"
|
||||
echo " qname-minimisation-strict: yes"
|
||||
elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
|
||||
echo " qname-minimisation: yes"
|
||||
else
|
||||
echo " qname-minimisation: no"
|
||||
fi
|
||||
# Use DNSSEC to quickly understand NXDOMAIN ranges
|
||||
if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
|
||||
echo " aggressive-nsec: yes"
|
||||
echo " prefetch-key: yes"
|
||||
fi
|
||||
# Prefetch what can be
|
||||
echo " prefetch: yes"
|
||||
echo " prefetch-key: yes"
|
||||
echo " target-fetch-policy: \"3 2 1 0 0\""
|
||||
echo
|
||||
} >> $UNBOUND_CONFFILE
|
||||
|
@ -1070,6 +1126,7 @@ unbound_uci() {
|
|||
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
|
||||
config_get_bool UNBOUND_B_QUERY_MIN "$cfg" query_minimize 0
|
||||
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
|
||||
config_get_bool UNBOUND_B_AUTH_ROOT "$cfg" prefetch_root 0
|
||||
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
|
||||
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
|
||||
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
|
||||
|
@ -1165,7 +1222,7 @@ unbound_uci() {
|
|||
|
||||
##############################################################################
|
||||
|
||||
_resolv_setup() {
|
||||
unbound_resolv_setup() {
|
||||
if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
|
||||
return
|
||||
fi
|
||||
|
@ -1194,7 +1251,7 @@ _resolv_setup() {
|
|||
|
||||
##############################################################################
|
||||
|
||||
_resolv_teardown() {
|
||||
unbound_resolv_teardown() {
|
||||
case $( cat /tmp/resolv.conf ) in
|
||||
*"generated by Unbound UCI"*)
|
||||
# our resolver file, reset to auto resolver file.
|
||||
|
@ -1209,8 +1266,6 @@ _resolv_teardown() {
|
|||
unbound_start() {
|
||||
config_load unbound
|
||||
config_foreach unbound_uci unbound
|
||||
|
||||
|
||||
unbound_mkdir
|
||||
|
||||
|
||||
|
@ -1229,19 +1284,18 @@ unbound_start() {
|
|||
|
||||
|
||||
unbound_forward
|
||||
unbound_auth_root
|
||||
unbound_control
|
||||
fi
|
||||
|
||||
|
||||
_resolv_setup
|
||||
unbound_resolv_setup
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
|
||||
unbound_stop() {
|
||||
_resolv_teardown
|
||||
|
||||
|
||||
unbound_resolv_teardown
|
||||
rootzone_update
|
||||
}
|
||||
|
||||
|
|
|
@ -15,13 +15,14 @@ config unbound
|
|||
option listen_port '53'
|
||||
option localservice '1'
|
||||
option manual_conf '0'
|
||||
option protocol 'mixed'
|
||||
option prefetch_root '0'
|
||||
option protocol 'default'
|
||||
option query_minimize '0'
|
||||
option query_min_strict '0'
|
||||
option rebind_localhost '0'
|
||||
option rebind_protection '1'
|
||||
option recursion 'passive'
|
||||
option resource 'small'
|
||||
option recursion 'default'
|
||||
option resource 'default'
|
||||
option root_age '9'
|
||||
option ttl_min '120'
|
||||
option unbound_control '0'
|
||||
|
|
Loading…
Reference in New Issue
Block a user