cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

unbound: update to 1.8.1

Browse Source 
bug fixes for memory leaks
bug fixes for DNS over TLS

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This commit is contained in:
Eric Luehrsen
2018-10-08 20:20:28 -04:00
parent 482d94bf47
commit f3bc02155e
2 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/patches/100-example-conf-in.patch
+86
View File
@@ -0,0 +1,86 @@
OpenWrt (modification):
Patch the default configuration file with the tiny memory
configuration example from Unbound documentation. This is the best
starting point for embedded routers if one is not going to use UCI.
Index: doc/example.conf.in
===================================================================
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -15,6 +15,76 @@ server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
+ ############################################################################
+ # MEMORY CONTROL EXAMPLE
+ # In the example config settings below memory usage is reduced. Some ser-
+ # vice levels are lower, notable very large data and a high TCP load are
+ # no longer supported ... are exceptional for the DNS.
+ # (http://unbound.net/documentation/unbound.conf.html)
+ ############################################################################
+
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
+ # The script /etc/init.d/unbound will setup the location
+ username: "unbound"
+ directory: "/var/lib/unbound"
+ chroot: "/var/lib/unbound"
+
+ # The pid file is created before privleges drop so no concern
+ pidfile: "/var/run/unbound.pid"
+
+ # no threads and no memory slabs for threads
+ num-threads: 1
+ msg-cache-slabs: 1
+ rrset-cache-slabs: 1
+ infra-cache-slabs: 1
+ key-cache-slabs: 1
+
+ # don't be picky about interfaces but consider your firewall
+ interface: 0.0.0.0
+ interface: ::0
+ access-control: 0.0.0.0/0 allow
+ access-control: ::0/0 allow
+
+ # this limits TCP service but uses less buffers
+ outgoing-num-tcp: 1
+ incoming-num-tcp: 1
+
+ # use somewhat higher port numbers versus possible NAT issue
+ outgoing-port-permit: "10240-65335"
+
+ # uses less memory but less performance
+ outgoing-range: 60
+ num-queries-per-thread: 30
+
+ # exclude large responses
+ msg-buffer-size: 8192
+
+ # tiny memory cache
+ infra-cache-numhosts: 200
+ msg-cache-size: 100k
+ rrset-cache-size: 100k
+ key-cache-size: 100k
+ neg-cache-size: 10k
+
+ # gentle on recursion
+ target-fetch-policy: "2 1 0 0 0 0"
+ harden-large-queries: yes
+ harden-short-bufsize: yes
+
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
+ # See package documentation for crontab entry to copy RFC5011 results back.
+ #module-config: "validator iterator"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ # DNSSEC needs real time to validate signatures. If your device does not
+ # have power off clock (reboot), then you may need this work around.
+ #domain-insecure: "pool.ntp.org"
+
+ ############################################################################
+ # Resume Stock example.conf.in
+ ############################################################################
+
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# statistics-interval: 0