From a4d4b6d874b45145d733b49d45dc29c0d534b828 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Mon, 23 Jan 2017 01:48:32 -0500 Subject: [PATCH 1/6] unbound: error in README.md for unbound+dnsmasq --- net/unbound/files/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 0a96c0b0a..d048abbd8 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -29,8 +29,8 @@ In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/ **/etc/config/dhcp**: config dnsmasq - option noresolv '1' - option resolvfile '' + option noresolv '0' + option resolvfile '/tmp/resolv.conf.auto' option port '53' list server '127.0.0.1#1053' list server '::1#1053' @@ -51,7 +51,7 @@ In this case, Unbound serves your local network directly for all purposes. It wi config dnsmasq option domain 'yourdomain' option noresolv '1' - option resolvfile '' + option resolvfile '/tmp/resolv.conf.auto' option port '1053' ... From 26b26917a6adfe96f1d2ae0ce164f35226f7d3cc Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sun, 5 Feb 2017 23:48:18 -0500 Subject: [PATCH 2/6] Unbound: bug fix odhcpd and add auto adblock Bug fix dhcp4_slaac6 option was adding to all IP6 routes. Filtering was added to this process to only include addresses served from "this dhcp interface." adblock 2.3.0 file output is now detected and automatically integrated into Unbound local-zones. adblock deposites its block site zone-files into /var/lib/unbound. If this is not desired, then disable adblock or reconfigure to avoid Unbound. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 10 +++++----- net/unbound/files/README.md | 11 +++++++---- net/unbound/files/odhcpd.awk | 3 ++- net/unbound/files/unbound.sh | 38 +++++++++++++++++++++++++++++------- 4 files changed, 45 insertions(+), 17 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 07ab6fe33..fabf26a16 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.0 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -27,7 +27,7 @@ PKG_INSTALL:=1 include $(INCLUDE_DIR)/package.mk define Package/unbound/Default - TITLE:=Unbound is a validating, recursive, and caching DNS resolver. + TITLE:=Validating Recursive DNS Server URL:=http://www.unbound.net/ DEPENDS:=+libopenssl endef @@ -51,7 +51,7 @@ define Package/unbound-anchor SECTION:=net CATEGORY:=Network SUBMENU:=IP Addresses and Names - TITLE+= (anchor utility) + TITLE+= (DSKEY utility) DEPENDS+= +unbound +libexpat endef @@ -77,7 +77,7 @@ define Package/unbound-control-setup SECTION:=net CATEGORY:=Network SUBMENU:=IP Addresses and Names - TITLE+= (control setup utility) + TITLE+= (control setup) DEPENDS+= +unbound-control +openssl-util endef @@ -90,7 +90,7 @@ define Package/unbound-host SECTION:=net CATEGORY:=Network SUBMENU:=IP Addresses and Names - TITLE+= (DNS lookup utility) + TITLE+= (lookup utility) DEPENDS+= +libunbound endef diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index d048abbd8..53f8a1412 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -8,6 +8,9 @@ Unbound may be useful on consumer grade embedded hardware. It is *intended* to b This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level. +## Adblocking +The UCI scripts will work with OpenWrt/pacakages/net/adblock (2.3.0 and above) if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound. + ## HOW TO Integrate with DHCP Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd. @@ -29,7 +32,8 @@ In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/ **/etc/config/dhcp**: config dnsmasq - option noresolv '0' + option domain 'yourdomain' + option noresolv '1' option resolvfile '/tmp/resolv.conf.auto' option port '53' list server '127.0.0.1#1053' @@ -56,13 +60,12 @@ In this case, Unbound serves your local network directly for all purposes. It wi ... config dhcp 'lan' + # dnsmasq may not issue DNS option if not std. configuration list dhcp_option 'option:dns-server,0.0.0.0' ... ### Only odhcpd -Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures as DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did. - -*note: You must install unbound-control. The lease file loads are done without starting, stopping, or re-writing conf files.* +Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did. You **must install** `unbound-control`, because the lease records are added and removed without starting, stopping, flushing cache, or re-writing conf files. *note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.* diff --git a/net/unbound/files/odhcpd.awk b/net/unbound/files/odhcpd.awk index 6ef02dfbf..8c8d96610 100644 --- a/net/unbound/files/odhcpd.awk +++ b/net/unbound/files/odhcpd.awk @@ -74,7 +74,8 @@ while ( ( cmd | getline adr ) > 0 ) { - if ( substr( adr, 1, 5 ) <= "fd00:" ) { + if (( substr( adr, 1, 5 ) <= "fd00:" ) \ + && ( index( adr, "via" ) == 0 )) { # GA or ULA routed addresses only (not LL or MC) sub( /\/.*/, "", adr ) ; adr = ( adr slaac ) ; diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 9cd6a5eb8..92c87d043 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -136,10 +136,10 @@ create_interface_dns() { { for address in $addresses ; do case $address in - fe80:*|169.254.*) + fe80:*|169.254.*) echo " # note link address $address" ;; - + [1-9a-f]*:*[0-9a-f]) # GA and ULA IP6 for HOST IN AAA records (ip command is robust) for name in $names ; do @@ -164,10 +164,10 @@ create_interface_dns() { { for address in $addresses ; do case $address in - fe80:*|169.254.*) + fe80:*|169.254.*) echo " # note link address $address" ;; - + "${ulaprefix%%:/*}"*) # Only this networks ULA and only hostname echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\"" @@ -308,7 +308,7 @@ unbound_control() { { - # Amend your own extended clauses here like forward zones or disable + # Amend your own extended clauses here like forward zones or disable # above (local, no encryption) and amend your own remote encrypted control echo echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE @@ -645,14 +645,37 @@ unbound_access() { { # Amend your own "server:" stuff here - echo - echo "include: $UNBOUND_SRV_CONF" + echo " include: $UNBOUND_SRV_CONF" echo } >> $UNBOUND_CONFFILE } ############################################################################## +unbound_adblock() { + # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team + local adb_enabled adb_file + + if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then + adb_enabled=0 + else + /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0 + fi + + + if [ "$adb_enabled" -gt 0 ] ; then + { + # Pull in your selected openwrt/pacakges/net/adblock generated lists + for adb_file in $UNBOUND_VARDIR/adb_list.* ; do + echo " include: $adb_file" + done + echo + } >> $UNBOUND_CONFFILE + fi +} + +############################################################################## + unbound_hostname() { if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then { @@ -799,6 +822,7 @@ unbound_start() { if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then unbound_conf unbound_access + unbound_adblock if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then dnsmasq_link From b23d25fd2fb3c700618b37c0079df8cf75f67690 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sat, 11 Feb 2017 15:25:22 -0500 Subject: [PATCH 3/6] unbound: improve robustness with dhcp scripts When for example 'package/net/adblock' and DNSSEC vs NTP robustness is enabled, significant restart thrashing can occur at boot up. DHCP lease triggers may be occuring at the same time. Unbounds DNS-DHCP may be incomplete until new DHCP solicit events. Solve this by leaving a passive but complete host conf file during lease trigger. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/odhcpd.awk | 73 +++++++++++++++++++++++++----------- net/unbound/files/odhcpd.sh | 26 ++++++++----- net/unbound/files/unbound.sh | 11 ++++++ 4 files changed, 80 insertions(+), 32 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index fabf26a16..498700a3d 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.0 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/odhcpd.awk b/net/unbound/files/odhcpd.awk index 8c8d96610..34e6710d8 100644 --- a/net/unbound/files/odhcpd.awk +++ b/net/unbound/files/odhcpd.awk @@ -22,6 +22,7 @@ # "domain" = text domain suffix # "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC # "bisolt" = boolean, format ... so you can isolate +# "bconf" = boolean, write conf file format rather than pipe records # ############################################################################## @@ -59,15 +60,23 @@ # only for provided hostnames and full /32 assignments ptr = adr ; qpr = "" ; split( ptr, ptr, "." ) ; slaac = slaac_eui64( id ) ; - for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; } - - # DHCP A and PTR records with FQDN - x = ( fqdn ". 120 IN A " adr ) ; - y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ; - print ( x "\n" y ) > hostfile ; - if ((bslaac == 1) && (slaac != 0)) { + if ( bconf == 1 ) { + x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ; + y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; + print ( x "\n" y ) > hostfile ; + } + + else { + for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; } + x = ( fqdn ". 120 IN A " adr ) ; + y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ; + print ( x "\n" y ) > hostfile ; + } + + + if (( bslaac == 1 ) && ( slaac != 0 )) { # UCI option to discover IPV6 routed SLAAC addresses # NOT TODO - ping probe take too long when added in awk-rule loop cmd = ( "ip -6 --oneline route show dev " net ) ; @@ -79,11 +88,25 @@ # GA or ULA routed addresses only (not LL or MC) sub( /\/.*/, "", adr ) ; adr = ( adr slaac ) ; - if ( split( adr, tmp0, ":" ) >= 8 ) { sub( "::", ":", adr ) ; } - qpr = ipv6_ptr( adr ) ; - x = ( fqdn ". 120 IN AAAA " adr ) ; - y = ( qpr " 120 IN PTR " fqdn ) ; - print ( x "\n" y ) > hostfile ; + + + if ( split( adr, tmp0, ":" ) >= 8 ) { + sub( "::", ":", adr ) ; + } + + + if ( bconf == 1 ) { + x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; + y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; + print ( x "\n" y ) > hostfile ; + } + + else { + qpr = ipv6_ptr( adr ) ; + x = ( fqdn ". 120 IN AAAA " adr ) ; + y = ( qpr ". 120 IN PTR " fqdn ) ; + print ( x "\n" y ) > hostfile ; + } } } @@ -95,11 +118,19 @@ else { if (( cdr == 128 ) && ( hst != "-" )) { - # only for provided hostnames and full /128 assignments - qpr = ipv6_ptr( adr ) ; - x = ( fqdn ". 120 IN AAAA " adr ) ; - y = ( qpr " 120 IN PTR " fqdn ) ; - print ( x "\n" y ) > hostfile ; + if ( bconf == 1 ) { + x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ; + y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ; + print ( x "\n" y ) > hostfile ; + } + + else { + # only for provided hostnames and full /128 assignments + qpr = ipv6_ptr( adr ) ; + x = ( fqdn ". 120 IN AAAA " adr ) ; + y = ( qpr ". 120 IN PTR " fqdn ) ; + print ( x "\n" y ) > hostfile ; + } } } } @@ -133,7 +164,7 @@ function ipv6_ptr( ipv6, arpa, ary, end, i, j, new6, sz, start ) { ############################################################################## -function slaac_eui64( mac, ary, glbit, eui64 ) { +function slaac_eui64( mac, ary, glbit, eui64 ) { if ( length(mac) >= 12 ) { # RFC2373 and use DHCPv4 registered MAC to find SLAAC addresses split( mac , ary , "" ) ; @@ -144,12 +175,12 @@ function slaac_eui64( mac, ary, glbit, eui64 ) { eui64 = ( ary[1] ary[2] ary[3] ary[4] ":" ary[5] ary[6] "ff:fe" ) ; eui64 = ( eui64 ary[7] ary[8] ":" ary[9] ary[10] ary[11] ary[12] ) ; } - + else { eui64 = 0 ; } - - + + return eui64 ; } diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh index 68c822af9..2fc64ab40 100644 --- a/net/unbound/files/odhcpd.sh +++ b/net/unbound/files/odhcpd.sh @@ -45,42 +45,48 @@ odhcpd_zonedata() { local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile ) - + config_load unbound config_foreach odhcpd_settings unbound if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then - # Capture the lease file which could be changing often, - # and unbound-control only for changes in hosts (or else...) + # Capture the lease file which could be changing often cat $dhcp_origin | sort > $dhcp_ls_new touch $dhcp_ls_old sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del - # Go through the messy business of coding up A, AAAA, and PTR records. + # Go through the messy business of coding up A, AAAA, and PTR records + # This static conf will be available if Unbound restarts asynchronously + awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \ + -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \ + -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new + + # Deleting and adding all records into Unbound can be a burden in a + # high density environment. Use unbound-control incrementally. awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \ - -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \ + -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \ - -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \ + -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \ -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add if [ -f "$dns_ls_del" ] ; then cat $dns_ls_del | $UNBOUND_CONTROL_CFG local_datas_remove fi - + if [ -f "$dns_ls_add" ] ; then cat $dns_ls_add | $UNBOUND_CONTROL_CFG local_datas fi - - + + # prepare next round mv $dhcp_ls_new $dhcp_ls_old - rm -f $dns_ls_del $dns_ls_add + rm -f $dns_ls_del $dns_ls_add $dhcp_ls_del $dhcp_ls_add fi } diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 92c87d043..44eeb6fcc 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -64,6 +64,7 @@ UNBOUND_PIDFILE=/var/run/unbound.pid UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf +UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key @@ -709,6 +710,16 @@ unbound_hostname() { config_load dhcp config_foreach create_interface_dns dhcp fi + + + if [ -f "$UNBOUND_DHCP_CONF" ] ; then + { + # Seed DHCP records because dhcp scripts trigger externally + # Incremental Unbound restarts may drop unbound-control add records + echo " include: $UNBOUND_DHCP_CONF" + echo + } >> $UNBOUND_CONFFILE + fi fi } From 412fd1bbf4c0f0089e6e837f002c5164078dded4 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Sat, 25 Feb 2017 13:49:45 -0500 Subject: [PATCH 4/6] unbound: bugfix add_local_fqdn with empty ULA Signed-off-by: Eric Luehrsen --- net/unbound/files/unbound.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 44eeb6fcc..24964d0b0 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -107,6 +107,12 @@ create_interface_dns() { if_fqdn="$ifdashname.$host_fqdn" + if [ -z "${ulaprefix%%:/*}" ] ; then + # Nonsense so this option isn't globbed below + ulaprefix="fdno:such:addr::/48" + fi + + if [ "$ignore" -gt 0 ] ; then mode="$UNBOUND_D_WAN_FQDN" From ef0c0eeab0812256d459c4b8d331242f92c2dfe8 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Wed, 22 Feb 2017 21:35:56 -0500 Subject: [PATCH 5/6] unbound: Update to 1.6.1 with 2017 trust anchor Unbound 1.6.1 has a few bug fixes for resource leaks, configuration robustness, compile environment interaction, and maintaining the trust anchor. The 2017 trust anchor (DS) is built into unbound and unbound-anchor. File /etc/unbound/root.key holds 2010/2017 DS record until 2018 https://www.icann.org/resources/pages/ksk-rollover https://www.iana.org/domains/root Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 6 +++--- net/unbound/files/root.key | 2 ++ net/unbound/patches/001-conf.patch | 13 ++++++------- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 498700a3d..e531a4578 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -8,8 +8,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound -PKG_VERSION:=1.6.0 -PKG_RELEASE:=5 +PKG_VERSION:=1.6.1 +PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE @@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unbound.net/downloads -PKG_MD5SUM:=78409eccf7260d260b6463f85e59c66b +PKG_HASH:=42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400 PKG_BUILD_DEPENDS:=libexpat PKG_BUILD_PARALLEL:=1 diff --git a/net/unbound/files/root.key b/net/unbound/files/root.key index 2ad664134..2de0b6246 100644 --- a/net/unbound/files/root.key +++ b/net/unbound/files/root.key @@ -1 +1,3 @@ . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D + diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch index d1c1ca3d2..8aa050202 100644 --- a/net/unbound/patches/001-conf.patch +++ b/net/unbound/patches/001-conf.patch @@ -1,12 +1,12 @@ diff --git a/doc/example.conf.in b/doc/example.conf.in -index 55bbc32..14452fa 100644 +index 83e7c5c..3ea2b28 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in -@@ -1,20 +1,82 @@ +@@ -1,9 +1,10 @@ -# -# Example configuration file. -# --# See unbound.conf(5) man page, version 1.6.0. +-# See unbound.conf(5) man page, version 1.6.1. -# -# this is a comment. +############################################################################## @@ -19,10 +19,9 @@ index 55bbc32..14452fa 100644 #Use this to include other text into the file. #include: "otherfile.conf" - - # The server clause sets the main parameters. +@@ -12,9 +13,71 @@ server: -- # whitespace is not necessary, but looks cleaner. + # whitespace is not necessary, but looks cleaner. - # verbosity number, 0 is least verbose. 1 is default. + # verbosity 1 is default @@ -51,7 +50,7 @@ index 55bbc32..14452fa 100644 + access-control: ::0/0 allow + + # this limits TCP service but uses less buffers -+ outgoing-num-tcp: 1 ++ outgoing-num-tcp: 1 + incoming-num-tcp: 1 + + # use somewhat higher port numbers versus possible NAT issue From 8e153c96845dd4763dbb1f49e16bb6c8d79d2f70 Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 2 Mar 2017 00:28:35 -0500 Subject: [PATCH 6/6] unbound: improve maintenance of trust anchor Unbound UCI tries to protect embedded flash from excess use. Unbound RFC5011 KSK tracking can rewrite root.key every few minutes to an hour. It also writes and destroys files in the same directory during the process. Recommended UCI delays for copying busy work in /var/ back to /etc/ may be too conservative. These are all changed from 28 to 9 days. The RFC5011 KSK results were also destroyed by an init.d restart, even if /var/ is mounted on persistent storage like USB drive. /var/lib/unbound/root.key is now preserved during this process, unless a newer key is installed in /etc/ manually or package update. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 4 ++-- net/unbound/files/rootzone.sh | 2 +- net/unbound/files/unbound.sh | 22 ++++++++++++++++++---- net/unbound/files/unbound.uci | 2 +- 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index e531a4578..6546fa2a1 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 53f8a1412..4855688ac 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -117,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan config unbound option manual_conf '1' - option root_age '30' + option root_age '9' ### Hybrid Manual/UCI You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. @@ -230,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a defaults with a bit of balancing. Tiny is close to the published memory restricted configuration. Small 1/2 medium, and large 2x. - option root_age '30' + option root_age '9' Days. >90 Disables. Age limit for Unbound root data like root DNSSEC key. Unbound uses RFC 5011 to manage root key. This could harm flash ROM. This activity is mapped to "tmpfs," but every so diff --git a/net/unbound/files/rootzone.sh b/net/unbound/files/rootzone.sh index 143c0560f..d085fed4e 100644 --- a/net/unbound/files/rootzone.sh +++ b/net/unbound/files/rootzone.sh @@ -26,7 +26,7 @@ rootzone_uci() { # This will likely be called outside of "start_service()" context config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 - config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 } ############################################################################## diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 24964d0b0..ce250bd95 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96" UNBOUND_N_EDNS_SIZE=1280 UNBOUND_N_FWD_PORTS="" UNBOUND_N_RX_PORT=53 -UNBOUND_N_ROOT_AGE=28 +UNBOUND_N_ROOT_AGE=9 UNBOUND_TTL_MIN=120 @@ -258,6 +258,13 @@ unbound_mkdir() { fi + if [ -f $UNBOUND_KEYFILE ] ; then + # Lets not lose RFC 5011 tracking if we don't have to + cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep + fi + + + # Blind copy /etc/ to /var/lib/ mkdir -p $UNBOUND_VARDIR rm -f $UNBOUND_VARDIR/dhcp_* touch $UNBOUND_CONFFILE @@ -282,7 +289,7 @@ unbound_mkdir() { # Debian-like package dns-root-data cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE - elif [ -x "$UNBOUND_ANCHOR" ] ; then + elif [ -x $UNBOUND_ANCHOR ] ; then $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE else @@ -290,7 +297,14 @@ unbound_mkdir() { fi fi - + + if [ -f $UNBOUND_KEYFILE.keep ] ; then + # root.key.keep is reused if newest + cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE + rm -f $UNBOUND_KEYFILE.keep + fi + + # Ensure access and prepare to jail chown -R unbound:unbound $UNBOUND_VARDIR chmod 775 $UNBOUND_VARDIR @@ -755,7 +769,7 @@ unbound_uci() { config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 - config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 7794e9765..9e58ac799 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -19,7 +19,7 @@ config unbound option rebind_protection '1' option recursion 'passive' option resource 'small' - option root_age '28' + option root_age '9' option ttl_min '120' option unbound_control '0' option validator '0'