cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4072 from EricLuehrsen/unbound_17_01

Browse Source 
[lede-17.01] unbound: service update respective of 1.6.1-2
This commit is contained in:
Hannu Nyman
2017-03-02 14:37:18 +02:00
committed by GitHub
parent 95463a50e3 8e153c9684
commit d98b545bf9
9 changed files with 163 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/Makefile
+7 -7
View File
@@ -8,8 +8,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.6.0
PKG_RELEASE:=3
PKG_VERSION:=1.6.1
PKG_RELEASE:=2
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
@@ -17,7 +17,7 @@ PKG_MAINTAINER:=Eric Luehrsen <ericluehrsen@hotmail.com>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.unbound.net/downloads
PKG_MD5SUM:=78409eccf7260d260b6463f85e59c66b
PKG_HASH:=42df63f743c0fe8424aeafcf003ad4b880b46c14149d696057313f5c1ef51400
PKG_BUILD_DEPENDS:=libexpat
PKG_BUILD_PARALLEL:=1
@@ -27,7 +27,7 @@ PKG_INSTALL:=1
include $(INCLUDE_DIR)/package.mk
define Package/unbound/Default
TITLE:=Unbound is a validating, recursive, and caching DNS resolver.
TITLE:=Validating Recursive DNS Server
URL:=http://www.unbound.net/
DEPENDS:=+libopenssl
endef
@@ -51,7 +51,7 @@ define Package/unbound-anchor
SECTION:=net
CATEGORY:=Network
SUBMENU:=IP Addresses and Names
TITLE+= (anchor utility)
TITLE+= (DSKEY utility)
DEPENDS+= +unbound +libexpat
endef
@@ -77,7 +77,7 @@ define Package/unbound-control-setup
SECTION:=net
CATEGORY:=Network
SUBMENU:=IP Addresses and Names
TITLE+= (control setup utility)
TITLE+= (control setup)
DEPENDS+= +unbound-control +openssl-util
endef
@@ -90,7 +90,7 @@ define Package/unbound-host
SECTION:=net
CATEGORY:=Network
SUBMENU:=IP Addresses and Names
TITLE+= (DNS lookup utility)
TITLE+= (lookup utility)
DEPENDS+= +libunbound
endef
net/unbound/files/README.md
+10 -7
View File
@@ -8,6 +8,9 @@ Unbound may be useful on consumer grade embedded hardware. It is *intended* to b
This package builds on Unbounds capabilities with OpenWrt UCI. Not every Unbound option is in UCI, but rather, UCI simplifies the combination of related options. Unbounds native options are bundled and balanced within a smaller set of choices. Options include resources, DNSSEC, access control, and some TTL tweaking. The UCI also provides an escape option and work at the raw "unbound.conf" level.
## Adblocking
The UCI scripts will work with OpenWrt/pacakages/net/adblock (2.3.0 and above) if it is installed and enabled. Its all detected and integrated automatically. In brief, the adblock scripts create distinct local-zone files that are simply included in the unbound conf file during UCI generation. If you don't want this, then disable adblock or reconfigure adblock to not send these files to Unbound.
## HOW TO Integrate with DHCP
Some UCI options and scripts help Unbound to work with DHCP servers to load the local DNS. The examples provided here are serial dnsmasq-unbound, parallel dnsmasq-unbound, and unbound scripted with odhcpd.
@@ -29,8 +32,9 @@ In this case, dnsmasq is not changed *much* with respect to the default OpenWRT/
**/etc/config/dhcp**:
config dnsmasq
option domain 'yourdomain'
option noresolv '1'
option resolvfile ''
option resolvfile '/tmp/resolv.conf.auto'
option port '53'
list server '127.0.0.1#1053'
list server '::1#1053'
@@ -51,18 +55,17 @@ In this case, Unbound serves your local network directly for all purposes. It wi
config dnsmasq
option domain 'yourdomain'
option noresolv '1'
option resolvfile ''
option resolvfile '/tmp/resolv.conf.auto'
option port '1053'
...
config dhcp 'lan'
# dnsmasq may not issue DNS option if not std. configuration
list dhcp_option 'option:dns-server,0.0.0.0'
...
### Only odhcpd
Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures as DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did.
*note: You must install unbound-control. The lease file loads are done without starting, stopping, or re-writing conf files.*
Why use dnsmasq you might ask? Well test, try, and review. You can have Unbound and odhcpd only. When odhcpd configures each DHCP lease, it will call a script. The script provided with Unbound will read the lease file and enter DHCP-DNS records as much as dnsmasq once did. You **must install** `unbound-control`, because the lease records are added and removed without starting, stopping, flushing cache, or re-writing conf files.
*note: if you run the default LEDE/OpenWrt setup with dnsmasq and odhcpd, then use the link to dnsmasq. Unbound will pole dnsmasq. dnsmasq merges its lease file and odhcpd lease file.*
@@ -114,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan
config unbound
option manual_conf '1'
option root_age '30'
option root_age '9'
### Hybrid Manual/UCI
You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation.
@@ -227,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a
defaults with a bit of balancing. Tiny is close to the published
memory restricted configuration. Small 1/2 medium, and large 2x.
option root_age '30'
option root_age '9'
Days. >90 Disables. Age limit for Unbound root data like root
DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
harm flash ROM. This activity is mapped to "tmpfs," but every so
net/unbound/files/odhcpd.awk
+54 -22
View File
@@ -22,6 +22,7 @@
# "domain" = text domain suffix
# "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
# "bisolt" = boolean, format <host>.<network>.<domain>. so you can isolate
# "bconf" = boolean, write conf file format rather than pipe records
#
##############################################################################
@@ -59,30 +60,53 @@
# only for provided hostnames and full /32 assignments
ptr = adr ; qpr = "" ; split( ptr, ptr, "." ) ;
slaac = slaac_eui64( id ) ;
for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
# DHCP A and PTR records with FQDN
x = ( fqdn ". 120 IN A " adr ) ;
y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
if ((bslaac == 1) && (slaac != 0)) {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
}
else {
for( i=1; i<=4; i++ ) { qpr = ( ptr[i] "." qpr) ; }
x = ( fqdn ". 120 IN A " adr ) ;
y = ( qpr "in-addr.arpa. 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
}
if (( bslaac == 1 ) && ( slaac != 0 )) {
# UCI option to discover IPV6 routed SLAAC addresses
# NOT TODO - ping probe take too long when added in awk-rule loop
cmd = ( "ip -6 --oneline route show dev " net ) ;
while ( ( cmd | getline adr ) > 0 ) {
if ( substr( adr, 1, 5 ) <= "fd00:" ) {
if (( substr( adr, 1, 5 ) <= "fd00:" ) \
&& ( index( adr, "via" ) == 0 )) {
# GA or ULA routed addresses only (not LL or MC)
sub( /\/.*/, "", adr ) ;
adr = ( adr slaac ) ;
if ( split( adr, tmp0, ":" ) >= 8 ) { sub( "::", ":", adr ) ; }
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 120 IN AAAA " adr ) ;
y = ( qpr " 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
if ( split( adr, tmp0, ":" ) >= 8 ) {
sub( "::", ":", adr ) ;
}
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
}
else {
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 120 IN AAAA " adr ) ;
y = ( qpr ". 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
}
}
}
@@ -94,11 +118,19 @@
else {
if (( cdr == 128 ) && ( hst != "-" )) {
# only for provided hostnames and full /128 assignments
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 120 IN AAAA " adr ) ;
y = ( qpr " 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 120 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 120 " fqdn "\"" ) ;
print ( x "\n" y ) > hostfile ;
}
else {
# only for provided hostnames and full /128 assignments
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 120 IN AAAA " adr ) ;
y = ( qpr ". 120 IN PTR " fqdn ) ;
print ( x "\n" y ) > hostfile ;
}
}
}
}
@@ -132,7 +164,7 @@ function ipv6_ptr( ipv6, arpa, ary, end, i, j, new6, sz, start ) {
##############################################################################
function slaac_eui64( mac, ary, glbit, eui64 ) {
function slaac_eui64( mac, ary, glbit, eui64 ) {
if ( length(mac) >= 12 ) {
# RFC2373 and use DHCPv4 registered MAC to find SLAAC addresses
split( mac , ary , "" ) ;
@@ -143,12 +175,12 @@ function slaac_eui64( mac, ary, glbit, eui64 ) {
eui64 = ( ary[1] ary[2] ary[3] ary[4] ":" ary[5] ary[6] "ff:fe" ) ;
eui64 = ( eui64 ary[7] ary[8] ":" ary[9] ary[10] ary[11] ary[12] ) ;
}
else {
eui64 = 0 ;
}
return eui64 ;
}
net/unbound/files/odhcpd.sh
+16 -10
View File
@@ -45,42 +45,48 @@ odhcpd_zonedata() {
local dhcp_ls_add=$UNBOUND_VARDIR/dhcp_lease.add
local dhcp_ls_del=$UNBOUND_VARDIR/dhcp_lease.del
local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
config_load unbound
config_foreach odhcpd_settings unbound
if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a -f "$dhcp_origin" ] ; then
# Capture the lease file which could be changing often,
# and unbound-control only for changes in hosts (or else...)
# Capture the lease file which could be changing often
cat $dhcp_origin | sort > $dhcp_ls_new
touch $dhcp_ls_old
sort $dhcp_ls_new $dhcp_ls_old $dhcp_ls_old | uniq -u > $dhcp_ls_add
sort $dhcp_ls_old $dhcp_ls_new $dhcp_ls_new | uniq -u > $dhcp_ls_del
# Go through the messy business of coding up A, AAAA, and PTR records.
# Go through the messy business of coding up A, AAAA, and PTR records
# This static conf will be available if Unbound restarts asynchronously
awk -v hostfile=$UNBOUND_DHCP_CONF -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=1 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
# Deleting and adding all records into Unbound can be a burden in a
# high density environment. Use unbound-control incrementally.
awk -v hostfile=$dns_ls_del -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_del
awk -v hostfile=$dns_ls_add -v domain=$UNBOUND_TXT_DOMAIN \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 \
-v bslaac=$UNBOUND_B_SLAAC6_MAC -v bisolt=0 -v bconf=0 \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_add
if [ -f "$dns_ls_del" ] ; then
cat $dns_ls_del | $UNBOUND_CONTROL_CFG local_datas_remove
fi
if [ -f "$dns_ls_add" ] ; then
cat $dns_ls_add | $UNBOUND_CONTROL_CFG local_datas
fi
# prepare next round
mv $dhcp_ls_new $dhcp_ls_old
rm -f $dns_ls_del $dns_ls_add
rm -f $dns_ls_del $dns_ls_add $dhcp_ls_del $dhcp_ls_add
fi
}
net/unbound/files/root.key
+2
View File
@@ -1 +1,3 @@
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
net/unbound/files/rootzone.sh
+1 -1
View File
@@ -26,7 +26,7 @@ rootzone_uci() {
# This will likely be called outside of "start_service()" context
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
}
##############################################################################
net/unbound/files/unbound.sh
+66 -11
View File
@@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96"
UNBOUND_N_EDNS_SIZE=1280
UNBOUND_N_FWD_PORTS=""
UNBOUND_N_RX_PORT=53
UNBOUND_N_ROOT_AGE=28
UNBOUND_N_ROOT_AGE=9
UNBOUND_TTL_MIN=120
@@ -64,6 +64,7 @@ UNBOUND_PIDFILE=/var/run/unbound.pid
UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
@@ -106,6 +107,12 @@ create_interface_dns() {
if_fqdn="$ifdashname.$host_fqdn"
if [ -z "${ulaprefix%%:/*}" ] ; then
# Nonsense so this option isn't globbed below
ulaprefix="fdno:such:addr::/48"
fi
if [ "$ignore" -gt 0 ] ; then
mode="$UNBOUND_D_WAN_FQDN"
@@ -136,10 +143,10 @@ create_interface_dns() {
{
for address in $addresses ; do
case $address in
fe80:*|169.254.*)
fe80:*|169.254.*)
echo " # note link address $address"
;;
[1-9a-f]*:*[0-9a-f])
# GA and ULA IP6 for HOST IN AAA records (ip command is robust)
for name in $names ; do
@@ -164,10 +171,10 @@ create_interface_dns() {
{
for address in $addresses ; do
case $address in
fe80:*|169.254.*)
fe80:*|169.254.*)
echo " # note link address $address"
;;
"${ulaprefix%%:/*}"*)
# Only this networks ULA and only hostname
echo " local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
@@ -251,6 +258,13 @@ unbound_mkdir() {
fi
if [ -f $UNBOUND_KEYFILE ] ; then
# Lets not lose RFC 5011 tracking if we don't have to
cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
fi
# Blind copy /etc/ to /var/lib/
mkdir -p $UNBOUND_VARDIR
rm -f $UNBOUND_VARDIR/dhcp_*
touch $UNBOUND_CONFFILE
@@ -275,7 +289,7 @@ unbound_mkdir() {
# Debian-like package dns-root-data
cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
elif [ -x "$UNBOUND_ANCHOR" ] ; then
elif [ -x $UNBOUND_ANCHOR ] ; then
$UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
else
@@ -283,7 +297,14 @@ unbound_mkdir() {
fi
fi
if [ -f $UNBOUND_KEYFILE.keep ] ; then
# root.key.keep is reused if newest
cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
rm -f $UNBOUND_KEYFILE.keep
fi
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
chmod 775 $UNBOUND_VARDIR
@@ -308,7 +329,7 @@ unbound_control() {
{
# Amend your own extended clauses here like forward zones or disable
# Amend your own extended clauses here like forward zones or disable
# above (local, no encryption) and amend your own remote encrypted control
echo
echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
@@ -645,14 +666,37 @@ unbound_access() {
{
# Amend your own "server:" stuff here
echo
echo "include: $UNBOUND_SRV_CONF"
echo " include: $UNBOUND_SRV_CONF"
echo
} >> $UNBOUND_CONFFILE
}
##############################################################################
unbound_adblock() {
# TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
local adb_enabled adb_file
if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
adb_enabled=0
else
/etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
fi
if [ "$adb_enabled" -gt 0 ] ; then
{
# Pull in your selected openwrt/pacakges/net/adblock generated lists
for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
echo " include: $adb_file"
done
echo
} >> $UNBOUND_CONFFILE
fi
}
##############################################################################
unbound_hostname() {
if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
{
@@ -686,6 +730,16 @@ unbound_hostname() {
config_load dhcp
config_foreach create_interface_dns dhcp
fi
if [ -f "$UNBOUND_DHCP_CONF" ] ; then
{
# Seed DHCP records because dhcp scripts trigger externally
# Incremental Unbound restarts may drop unbound-control add records
echo " include: $UNBOUND_DHCP_CONF"
echo
} >> $UNBOUND_CONFFILE
fi
fi
}
@@ -715,7 +769,7 @@ unbound_uci() {
config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
@@ -799,6 +853,7 @@ unbound_start() {
if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
unbound_conf
unbound_access
unbound_adblock
if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
dnsmasq_link
net/unbound/files/unbound.uci
+1 -1
View File
@@ -19,7 +19,7 @@ config unbound
option rebind_protection '1'
option recursion 'passive'
option resource 'small'
option root_age '28'
option root_age '9'
option ttl_min '120'
option unbound_control '0'
option validator '0'
net/unbound/patches/001-conf.patch
+6 -7
View File
@@ -1,12 +1,12 @@
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 55bbc32..14452fa 100644
index 83e7c5c..3ea2b28 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,20 +1,82 @@
@@ -1,9 +1,10 @@
-#
-# Example configuration file.
-#
-# See unbound.conf(5) man page, version 1.6.0.
-# See unbound.conf(5) man page, version 1.6.1.
-#
-# this is a comment.
+##############################################################################
@@ -19,10 +19,9 @@ index 55bbc32..14452fa 100644
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
@@ -12,9 +13,71 @@
server:
- # whitespace is not necessary, but looks cleaner.
# whitespace is not necessary, but looks cleaner.
- # verbosity number, 0 is least verbose. 1 is default.
+ # verbosity 1 is default
@@ -51,7 +50,7 @@ index 55bbc32..14452fa 100644
+ access-control: ::0/0 allow
+
+ # this limits TCP service but uses less buffers
+ outgoing-num-tcp: 1
+ outgoing-num-tcp: 1
+ incoming-num-tcp: 1
+
+ # use somewhat higher port numbers versus possible NAT issue