Merge pull request #4072 from EricLuehrsen/unbound_17_01

[lede-17.01] unbound: service update respective of 1.6.1-2

net/unbound/Makefile

@@ -8,8 +8,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
-PKG_VERSION:=1.6.0
+PKG_VERSION:=1.6.1
-PKG_RELEASE:=3
+PKG_RELEASE:=2
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@hotmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.unbound.net/downloads
-PKG_MD5SUM:=78409eccf7260d260b6463f85e59c66b
+PKG_HASH:=42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
 
 PKG_BUILD_DEPENDS:=libexpat
 PKG_BUILD_PARALLEL:=1
@@ -27,7 +27,7 @@ PKG_INSTALL:=1
 include $(INCLUDE_DIR)/package.mk
 
 define Package/unbound/Default
-  TITLE:=Unbound is a validating, recursive, and caching DNS resolver.
+  TITLE:=Validating Recursive DNS Server
   URL:=http://www.unbound.net/
   DEPENDS:=+libopenssl
 endef
@@ -51,7 +51,7 @@ define Package/unbound-anchor
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=IP Addresses and Names
-  TITLE+= (anchor utility)
+  TITLE+= (DSKEY utility)
   DEPENDS+= +unbound +libexpat
 endef
 
@@ -77,7 +77,7 @@ define Package/unbound-control-setup
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=IP Addresses and Names
-  TITLE+= (control setup utility)
+  TITLE+= (control setup)
   DEPENDS+= +unbound-control +openssl-util
 endef
 
@@ -90,7 +90,7 @@ define Package/unbound-host
   SECTION:=net
   CATEGORY:=Network
   SUBMENU:=IP Addresses and Names
-  TITLE+= (DNS lookup utility)
+  TITLE+= (lookup utility)
   DEPENDS+= +libunbound
 endef
 

net/unbound/files/README.md

@@ -8,6 +8,9 @@ Unbound may be useful on consumer grade embedded hardware. It is *intended* to b
 
 This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
 
+## Adblocking
+The UCI scripts will work with OpenWrt/pacakages/net/adblock (2.3.0 and above) if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
+
 ## HOW TO Integrate with DHCP
 Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
 
@@ -29,8 +32,9 @@ In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/
 **/etc/config/dhcp**:
 
 	config dnsmasq
+		option domain 'yourdomain'
 		option noresolv '1'
-		option resolvfile ''
+		option resolvfile '/tmp/resolv.conf.auto'
 		option port '53'
 		list server '127.0.0.1#1053'
 		list server '::1#1053'
@@ -51,18 +55,17 @@ In this case, Unbound serves your local network directly for all purposes. It wi
 	config dnsmasq
 		option domain 'yourdomain'
 		option noresolv '1'
-		option resolvfile ''
+		option resolvfile '/tmp/resolv.conf.auto'
 		option port '1053'
 		...
 
 	config dhcp 'lan'
+		# dnsmasq may not issue DNS option if not std. configuration 
 		list dhcp_option 'option:dns-server,0.0.0.0'
 		...
 
 ### Only odhcpd
-Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures as DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did.
+Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did. You **must install** `unbound-control`, because the lease records are added and removed without starting, stopping, flushing cache, or re-writing conf files.
-
-*note: You must install unbound-control. The lease file loads are done without starting, stopping, or re-writing conf files.*
 
 *note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.*
 
@@ -114,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan
 
 	config unbound
 		option manual_conf '1'
-		option root_age '30'
+		option root_age '9'
 
 ### Hybrid Manual/UCI
 You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. 
@@ -227,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a
 		defaults with a bit of balancing. Tiny is close to the published
 		memory restricted configuration. Small 1/2 medium, and large 2x.
 
-	option root_age '30'
+	option root_age '9'
 		Days. >90 Disables. Age limit for Unbound root data like root
 		DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
 		harm flash ROM. This activity is mapped to "tmpfs," but every so

net/unbound/files/odhcpd.awk

@@ -22,6 +22,7 @@
 #   "domain" = text domain suffix
 #   "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
 #   "bisolt" = boolean, format <host>.<network>.<domain>. so you can isolate
+#   "bconf"  = boolean, write conf file format rather than pipe records
 #
 ##############################################################################
 
@@ -59,12 +60,20 @@
       # only for provided hostnames and full /32 assignments
       ptr = adr ; qpr = "" ; split( ptr, ptr, "." ) ;
       slaac = slaac_eui64( id ) ;
-      for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
 
-      # DHCP A and PTR records with FQDN
+
+      if ( bconf == 1 ) {
+        x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
+        y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
+        print ( x "\n" y ) > hostfile ;
+      }
+
+      else {
+        for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
         x = ( fqdn ". 120 IN A " adr ) ;
         y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ;
         print ( x "\n" y ) > hostfile ;
+      }
 
 
       if (( bslaac == 1 ) && ( slaac != 0 )) {
@@ -74,17 +83,32 @@
 
 
         while ( ( cmd | getline adr ) > 0 ) {
-          if ( substr( adr, 1, 5 ) <= "fd00:" ) {
+          if (( substr( adr, 1, 5 ) <= "fd00:" ) \
+          && ( index( adr, "via" ) == 0 )) {
             # GA or ULA routed addresses only (not LL or MC)
             sub( /\/.*/, "", adr ) ;
             adr = ( adr slaac ) ;
-            if ( split( adr, tmp0, ":" ) >= 8 ) { sub( "::", ":", adr ) ; }
+            
+            
+            if ( split( adr, tmp0, ":" ) >= 8 ) { 
+              sub( "::", ":", adr ) ; 
+            }
+
+
+            if ( bconf == 1 ) {
+              x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
+              y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
+              print ( x "\n" y ) > hostfile ;
+            }
+
+            else {
               qpr = ipv6_ptr( adr ) ;
               x = ( fqdn ". 120 IN AAAA " adr ) ;
-            y = ( qpr " 120 IN PTR " fqdn ) ;
+              y = ( qpr ". 120 IN PTR " fqdn ) ;
               print ( x "\n" y ) > hostfile ;
             }
           }
+        }
 
 
         close( cmd ) ;
@@ -94,14 +118,22 @@
 
   else {
     if (( cdr == 128 ) && ( hst != "-" )) {
+      if ( bconf == 1 ) {
+        x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
+        y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
+        print ( x "\n" y ) > hostfile ;
+      }
+
+      else {
         # only for provided hostnames and full /128 assignments
         qpr = ipv6_ptr( adr ) ;
         x = ( fqdn ". 120 IN AAAA " adr ) ;
-      y = ( qpr " 120 IN PTR " fqdn ) ;
+        y = ( qpr ". 120 IN PTR " fqdn ) ;
         print ( x "\n" y ) > hostfile ;
       }
     }
   }
+}
 
 ##############################################################################
 

net/unbound/files/odhcpd.sh

@@ -51,20 +51,26 @@ odhcpd_zonedata() {
 
 
   if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
-    # Capture the lease file which could be changing often,
+    # Capture the lease file which could be changing often
-    # and unbound-control only for changes in hosts (or else...)
     cat $dhcp_origin | sort > $dhcp_ls_new
     touch $dhcp_ls_old
     sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
     sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
 
-    # Go through the messy business of coding up A, AAAA, and PTR records.
+    # Go through the messy business of coding up A, AAAA, and PTR records
+    # This static conf will be available if Unbound restarts asynchronously
+    awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \
+        -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \
+        -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
+
+    # Deleting and adding all records into Unbound can be a burden in a
+    # high density environment. Use unbound-control incrementally.
     awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
-        -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
+        -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
         -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
 
     awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
-        -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
+        -v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
         -f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
 
 
@@ -80,7 +86,7 @@ odhcpd_zonedata() {
 
     # prepare next round
     mv $dhcp_ls_new $dhcp_ls_old
-    rm -f $dns_ls_del $dns_ls_add
+    rm -f $dns_ls_del $dns_ls_add $dhcp_ls_del $dhcp_ls_add
   fi
 }
 

net/unbound/files/root.key

@@ -1 +1,3 @@
 . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
+

net/unbound/files/rootzone.sh

@@ -26,7 +26,7 @@ rootzone_uci() {
   # This will likely be called outside of "start_service()" context
   config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
   config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
-  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30
+  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
 }
 
 ##############################################################################

net/unbound/files/unbound.sh

@@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96"
 UNBOUND_N_EDNS_SIZE=1280
 UNBOUND_N_FWD_PORTS=""
 UNBOUND_N_RX_PORT=53
-UNBOUND_N_ROOT_AGE=28
+UNBOUND_N_ROOT_AGE=9
 
 UNBOUND_TTL_MIN=120
 
@@ -64,6 +64,7 @@ UNBOUND_PIDFILE=/var/run/unbound.pid
 
 UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
 UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
+UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
 UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
 
 UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
@@ -106,6 +107,12 @@ create_interface_dns() {
   if_fqdn="$ifdashname.$host_fqdn"
 
 
+  if [ -z "${ulaprefix%%:/*}" ] ; then
+    # Nonsense so this option isn't globbed below
+    ulaprefix="fdno:such:addr::/48"
+  fi
+
+
   if [ "$ignore" -gt 0 ] ; then
     mode="$UNBOUND_D_WAN_FQDN"
 
@@ -251,6 +258,13 @@ unbound_mkdir() {
   fi
 
 
+  if [ -f $UNBOUND_KEYFILE ] ; then
+    # Lets not lose RFC 5011 tracking if we don't have to
+    cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
+  fi
+
+
+  # Blind copy /etc/ to /var/lib/
   mkdir -p $UNBOUND_VARDIR
   rm -f $UNBOUND_VARDIR/dhcp_*
   touch $UNBOUND_CONFFILE
@@ -275,7 +289,7 @@ unbound_mkdir() {
       # Debian-like package dns-root-data
       cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
 
-    elif [ -x "$UNBOUND_ANCHOR" ] ; then
+    elif [ -x $UNBOUND_ANCHOR ] ; then
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     else
@@ -284,6 +298,13 @@ unbound_mkdir() {
   fi
 
   
+  if [ -f $UNBOUND_KEYFILE.keep ] ; then
+    # root.key.keep is reused if newest
+    cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
+    rm -f $UNBOUND_KEYFILE.keep
+  fi
+  
+  
   # Ensure access and prepare to jail
   chown -R unbound:unbound $UNBOUND_VARDIR
   chmod 775 $UNBOUND_VARDIR
@@ -645,7 +666,6 @@ unbound_access() {
 
   {
     # Amend your own "server:" stuff here
-    echo
     echo "  include: $UNBOUND_SRV_CONF"
     echo
   } >> $UNBOUND_CONFFILE
@@ -653,6 +673,30 @@ unbound_access() {
 
 ##############################################################################
 
+unbound_adblock() {
+  # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
+  local adb_enabled adb_file
+
+  if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
+    adb_enabled=0
+  else
+    /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
+  fi
+
+
+  if [ "$adb_enabled" -gt 0 ] ; then
+    {
+      # Pull in your selected openwrt/pacakges/net/adblock generated lists
+      for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
+        echo "  include: $adb_file"
+      done
+      echo
+    } >> $UNBOUND_CONFFILE
+  fi
+}
+
+##############################################################################
+
 unbound_hostname() {
   if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
     {
@@ -686,6 +730,16 @@ unbound_hostname() {
       config_load dhcp
       config_foreach create_interface_dns dhcp
     fi
+
+
+    if [ -f "$UNBOUND_DHCP_CONF" ] ; then
+      {
+        # Seed DHCP records because dhcp scripts trigger externally
+        # Incremental Unbound restarts may drop unbound-control add records
+        echo "  include: $UNBOUND_DHCP_CONF"
+        echo
+      } >> $UNBOUND_CONFFILE
+    fi
   fi
 }
 
@@ -715,7 +769,7 @@ unbound_uci() {
 
   config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
   config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
-  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 9
 
   config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
   config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none
@@ -799,6 +853,7 @@ unbound_start() {
   if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
     unbound_conf
     unbound_access
+    unbound_adblock
 
     if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
       dnsmasq_link

net/unbound/files/unbound.uci

@@ -19,7 +19,7 @@ config unbound
 	option rebind_protection '1'
 	option recursion 'passive'
 	option resource 'small'
-	option root_age '28'
+	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'
 	option validator '0'

net/unbound/patches/001-conf.patch

@@ -1,12 +1,12 @@
 diff --git a/doc/example.conf.in b/doc/example.conf.in
-index 55bbc32..14452fa 100644
+index 83e7c5c..3ea2b28 100644
 --- a/doc/example.conf.in
 +++ b/doc/example.conf.in
-@@ -1,20 +1,82 @@
+@@ -1,9 +1,10 @@
 -#
 -# Example configuration file.
 -#
--# See unbound.conf(5) man page, version 1.6.0.
+-# See unbound.conf(5) man page, version 1.6.1.
 -#
 -# this is a comment.
 +##############################################################################
@@ -19,10 +19,9 @@ index 55bbc32..14452fa 100644
  
  #Use this to include other text into the file.
  #include: "otherfile.conf"
- 
+@@ -12,9 +13,71 @@
- # The server clause sets the main parameters.
  server:
--	# whitespace is not necessary, but looks cleaner.
+ 	# whitespace is not necessary, but looks cleaner.
  
 -	# verbosity number, 0 is least verbose. 1 is default.
 +	# verbosity 1 is default