Hi Stepan,
Thanks for the feedback. See my comments inline with [adam]:
On May 14, 2013, at 8:00 AM, Stepan Henek <stepan.he...@nic.cz> wrote:
> Hello Adam,
>
> we were implementing the same thing as you were (ucifying unbound).
> We put less uci attributes in our config files, so in this way our version is
> more advanced.
[adam] Any chance I could see the version you put together? I struggled with
the best way to handle certain aspects of the config. Perhaps you have done it
a better way?
>
> But there are also some things which you might want to consider:
>
> 1) reload() function is missing in your init script
> I thing that calling stop() and start() functions flushes the cache of the
> server which is something what you don't want when you want just reload the
> configuration (e.g. when you are adding a zone).
> We used something like this:
> reload() {
>
> mkdir -p $(dirname "$CONFIGFILE")
>
> init_unbound
>
> local pidfile
> config_get pidfile server pidfile
>
> if [ -f "$pidfile" ] ; then
> kill -HUP $(cat "$pidfile")
> fi
> }
[adam] I tried this and ran into two problems:
1. I'm running unbound as a non-root user. So in this regard, reloading unbound
fails because the "unbound" user is not privileged to open ports, etc.
2. Using the "-c /path/to/config" option doesn't seem to be compatible with
-HUP signal. When I sent -HUP to unbound it complained that it couldn't find
/etc/unbound/unbound.conf, which is not the config I was using. Again, this may
be because unbound drops privileges.
>
> 2) You are using just a single "include" parameter
> > add_param "$cfg" "include"
> I thing It would be better to include more than a single config path using
> e.g.
> So options such as:
> > config unbound server
> > list include_path "/etc/unbound/zone1.conf"
> > list include_path "/etc/unbound/zone2.conf"
> Are translated to
> > include: "/etc/unbound/zone1.conf"
> > include: "/etc/unbound/zone2.conf"
[adam] I didn't get the impression from the unbound.conf man page that more
than one include statement was allowed. Perhaps that was just an oversight with
how I read it. This is a trivial change.
>
> Our goal is to have ucified unbound in the mainstream, so we could try to
> push it as well.
>
> Cheers,
> Stepan
>
> > Has anyone had a chance to look at this patch? If adjustments are needed
> > please let me know and I'll work on getting them in.
> >
> > Thanks!
> > Adam
> >
> >
> > On May 6, 2013, at 10:44 PM, Adam Gensler <openwrt at kristenandadam.net>
> > wrote:
> >
> > > The following patch does these things:
> > >
> > > 1. bumps unbound to version 1.4.20.
> > >
> > > 2. adds uci support via /etc/config/unbound. The entirety of unbound.conf
> > > has been implemented here.
> > >
> > > 3. removes the existing patch which applied a memory optimized config to
> > > /etc/unbound/unbound.conf. This has been migrated to /etc/config/unbound
> > > as "option lowmem '1'" under "config server". This is the default.
> > > Disabling "lowmem" opens up the relevant parameters for individual
> > > tuning, if desired.
> > >
> > > 4. The other portions of the existing /etc/unbound/unbound.conf have been
> > > migrated to the default /etc/config/unbound, yielding the same operation.
> > >
> > > 5. The old /etc/unbound/unbound.conf has been renamed to
> > > /etc/unbound/unbound.conf.example to avoid confusion.
> > >
> > > This is my first attempt at a uci configuration port. Any feedback and/or
> > > suggestions are greatly appreciated.
> > >
> > > Signed-off-by: Adam Gensler <openwrt at kristenandadam.net>
> > > ---
> > >
> > >
> > > Index: net/unbound/files/unbound.init
> > > ===================================================================
> > > --- net/unbound/files/unbound.init (revision 36569)
> > > +++ net/unbound/files/unbound.init (working copy)
> > > @@ -1,14 +1,355 @@
> > > #!/bin/sh /etc/rc.common
> > > -#Copyright (C) 2010 Ondrej Caletka <o.caletka at sh.cvut.cz>
> > > -START=61
> > > +# Copyright (C) 2007-2013 OpenWrt.org
> > >
> > > -start () {
> > > - unbound
> > > +START=60
> > > +
> > > +SERVICE_USE_PID=1
> > > +
> > > +CONFIGFILE="/var/etc/unbound.conf"
> > > +
> > > +writeconf() {
> > > + local opt="$1"
> > > + local val="$2"
> > > + local extra="$3"
> > > +
> > > + # wrap values with spaces or / in quotes
> > > + if [ `echo $val | grep -c "[.[:space:]/]"` -gt 0 ]; then
> > > + val="\"$val\""
> > > + fi
> > > +
> > > + if [ -z "$val" ]; then
> > > + echo "${opt}: ${val} ${extra}" >> $CONFIGFILE
> > > + else
> > > + echo " ${opt}: ${val} ${extra}" >> $CONFIGFILE
> > > + fi
> > > }
> > >
> > > -stop () {
> > > - PIDFILE='/var/run/unbound.pid'
> > > - if [ -f $PIDFILE ] ; then
> > > - kill $(cat $PIDFILE)
> > > +add_bool() {
> > > + local section="$1"
> > > + local option="$2"
> > > +
> > > + if [ -z "$3" ]; then
> > > + local config="$2"
> > > + else
> > > + local config="$3"
> > > fi
> > > +
> > > + config_get value "$section" "$option"
> > > + [ -z "$value" ] && return 0
> > > +
> > > + if [ "$value" -eq 0 ]; then
> > > + value="no"
> > > + elif [ "$value" -eq 1 ]; then
> > > + value="yes"
> > > + else
> > > + return 0
> > > + fi
> > > +
> > > + writeconf "$config" "$value"
> > > }
> > > +
> > > +add_param() {
> > > + local section="$1"
> > > + local option="$2"
> > > +
> > > + if [ -z "$3" ]; then
> > > + local config="$2"
> > > + else
> > > + local config="$3"
> > > + fi
> > > +
> > > + config_get value "$section" "$option"
> > > + [ -z "$value" ] && return 0
> > > +
> > > + writeconf "$config" "$value"
> > > +}
> > > +
> > > +add_server() {
> > > + local cfg="$1"
> > > +
> > > + add_param "$cfg" "include"
> > > +
> > > + writeconf "server"
> > > + add_param "$cfg" "verbosity"
> > > + add_param "$cfg" "statistics_interval" "statistics-interval"
> > > + add_bool "$cfg" "statistics_cumulative" "statistics-cumulative"
> > > + add_bool "$cfg" "extended_statistics" "extended-statistics"
> > > + add_param "$cfg" "port"
> > > + config_list_foreach "$cfg" "interface" add_list "interface"
> > > + add_param "$cfg" "interface_automatic" "interface-automatic"
> > > + config_list_foreach "$cfg" "outgoing_interface" add_list
> > > "outgoing-interface"
> > > + add_param "$cfg" "outgoing_port_permit" "outgoing-port-permit"
> > > + add_param "$cfg" "outgoing_port_avoid" "outgoing-port-avoid"
> > > + add_param "$cfg" "edns_buffer_size" "edns-buffer-size"
> > > + add_param "$cfg" "jostle_timeout" "jostle-timeout"
> > > + add_param "$cfg" "so_rcvbuf" "so-rcvbuf"
> > > + add_param "$cfg" "so_sndbuf" "so-sndbuf"
> > > + add_param "$cfg" "cache_min_ttl" "cache-min-ttl"
> > > + add_param "$cfg" "cache_max_ttl" "cache-max-ttl"
> > > + add_param "$cfg" "infra_host_ttl" "infra-host-ttl"
> > > + add_bool "$cfg" "do_ip4" "do-ip4"
> > > + add_bool "$cfg" "do_ip6" "do-ip6"
> > > + add_bool "$cfg" "do_udp" "do-udp"
> > > + add_bool "$cfg" "do_tcp" "do-tcp"
> > > + add_bool "$cfg" "tcp_upstream" "tcp-upstream"
> > > + add_bool "$cfg" "ssl_upstream" "ssl-upstream"
> > > + add_param "$cfg" "ssl_service_key" "ssl-service-key"
> > > + add_param "$cfg" "ssl_service_pem" "ssl-service-pem"
> > > + add_param "$cfg" "ssl_port" "ssl-port"
> > > + add_bool "$cfg" "do_daemonize" "do-daemonize"
> > > + add_param "$cfg" "chroot"
> > > + add_param "$cfg" "username"
> > > + add_param "$cfg" "directory"
> > > + add_param "$cfg" "logfile"
> > > + add_bool "$cfg" "use_syslog" "use-syslog"
> > > + add_bool "$cfg" "log_time_ascii" "log-time-ascii"
> > > + add_bool "$cfg" "log_queries" "log-queries"
> > > + config_get tmpval "$cfg" pidfile "/var/run/unbound.pid"
> > > + writeconf "pidfile" "$tmpval"
> > > +
> > > + config_get tmpfile "$cfg" "root_hints"
> > > + if [ ! -z "$tmpfile" ]; then
> > > + if [ -s $tmpfile ]; then
> > > + writeconf "root-hints" "$tmpfile"
> > > + else
> > > + logger -t unbound "Using built-in root-hints list, this may
> > > be out of date."
> > > + fi
> > > + fi
> > > +
> > > + add_bool "$cfg" "hide_identity" "hide-identity"
> > > + add_param "$cfg" "identity"
> > > + add_bool "$cfg" "hide_version" "hide-version"
> > > + add_param "$cfg" "version"
> > > + add_bool "$cfg" "harden_glue" "harden-glue"
> > > + add_bool "$cfg" "harden_dnssec_stripped" "harden-dnssec-stripped"
> > > + add_bool "$cfg" "harden_below_nxdomain" "harden-below-nxdomain"
> > > + add_bool "$cfg" "harden_referral_path" "harden-referral-path"
> > > + add_bool "$cfg" "use_caps_for_id" "use-caps-for-id"
> > > + config_list_foreach "$cfg" "private_address" add_list
> > > "private-address"
> > > + config_list_foreach "$cfg" "private_domain" add_list "private-domain"
> > > + add_param "$cfg" "unwanted_reply_threshold"
> > > "unwanted-reply-threshold"
> > > + add_param "$cfg" "do_not_query_address" "do-not-query-address"
> > > + add_bool "$cfg" "do_not_query_localhost" "do-not-query-localhost"
> > > + add_bool "$cfg" "prefetch"
> > > + add_bool "$cfg" "prefetch_key" "prefetch-key"
> > > + add_bool "$cfg" "rrset_roundrobin" "rrset-roundrobin"
> > > + add_bool "$cfg" "minimal_responses" "minimal-responses"
> > > + add_param "$cfg" "module_config" "module-config"
> > > + add_param "$cfg" "trust_anchor_file" "trust-anchor-file"
> > > +
> > > + # make sure the root.key file exists
> > > + config_get tmpval "$cfg" "root_key"
> > > + if [ -n $tmpval ]; then
> > > + if [ ! -e "$tmpval" ] || [ ! -s "$tmpval" ]; then
> > > + getanchor=`which unbound-anchor`
> > > + if [ -n "$getanchor" ]; then
> > > + logger -t unbound "Anchor file is missing, attempting to
> > > create one."
> > > + $getanchor -a "$tmpval"
> > > + if [ -s "$tmpval" ]; then
> > > + logger -t unbound "Anchor file created, will attempt
> > > to use it."
> > > + writeconf "auto-trust-anchor-file"
> > > "/etc/unbound/root.key"
> > > + else
> > > + logger -t unbound "Unable to create anchor file,
> > > dnssec will not be validated!"
> > > + fi
> > > + else
> > > + logger -t unbound "Unable to locate or empty root key
> > > file, $tmpval, dnssec will not be validated!"
> > > + fi
> > > + else
> > > + writeconf "auto-trust-anchor-file" "/etc/unbound/root.key"
> > > + fi
> > > + fi
> > > +
> > > + add_param "$cfg" "trust_anchor" "trust-anchor"
> > > + add_param "$cfg" "trusted_keys_file" "trusted-keys-file"
> > > + add_param "$cfg" "dlv_anchor_file" "dlv-anchor-file"
> > > + add_param "$cfg" "dlv_anchor" "dlv-anchor"
> > > + config_list_foreach "$cfg" "domain_insecure" add_list
> > > "domain-insecure"
> > > + add_param "$cfg" "val_override_date" "val-override-date"
> > > + add_param "$cfg" "val_sig_skew_min" "val-sig-skew-min"
> > > + add_param "$cfg" "val_sig_skew_max" "val-sig-skew-max"
> > > + add_param "$cfg" "val_bogus_ttl" "val-bogus-ttl"
> > > + add_bool "$cfg" "val_clean_additional" "val-clean-additional"
> > > + add_param "$cfg" "val_log_level" "val-log-level"
> > > + add_bool "$cfg" "val_permissive_mode" "val-permissive-mode"
> > > + add_bool "$cfg" "ignore_cd_flag" "ignore-cd-flag"
> > > + add_param "$cfg" "val_nsec3_keysize_iterations"
> > > "val-nsec3-keysize-iterations"
> > > + add_param "$cfg" "add_holddown" "add-holddown"
> > > + add_param "$cfg" "del_holddown" "del-holddown"
> > > + add_param "$cfg" "keep_missing" "keep-missing"
> > > +
> > > + # check to see if unbound should run with low memory optimizations
> > > + config_get_bool lowmem "$cfg" "lowmem" 1
> > > + if [ $lowmem -eq 1 ]; then
> > > + writeconf "num-threads" "1"
> > > + writeconf "outgoing-num-tcp" "1"
> > > + writeconf "incoming-num-tcp" "1"
> > > + writeconf "outgoing-range" "60"
> > > + writeconf "msg-buffer-size" "8192"
> > > + writeconf "msg-cache-size" "100k"
> > > + writeconf "msg-cache-slabs" "1"
> > > + writeconf "rrset-cache-size" "100k"
> > > + writeconf "rrset-cache-slabs" "1"
> > > + writeconf "infra-cache-numhosts" "200"
> > > + writeconf "infra-cache-slabs" "1"
> > > + writeconf "key-cache-size" "100k"
> > > + writeconf "key-cache-slabs" "1"
> > > + writeconf "neg-cache-size" "10k"
> > > + writeconf "num-queries-per-thread" "30"
> > > + writeconf "target-fetch-policy" "2 1 0 0 0 0"
> > > + writeconf "harden-large-queries" "yes"
> > > + writeconf "harden-short-bufsize" "yes"
> > > + else
> > > + add_param "$cfg" "num_threads" "num-threads"
> > > + add_param "$cfg" "outgoing_num_tcp" "outgoing-num-tcp"
> > > + add_param "$cfg" "incoming_num_tcp" "incoming-num-tcp"
> > > + add_param "$cfg" "outgoing_range" "outgoing-range"
> > > + add_param "$cfg" "msg_buffer_size" "msg-buffer-size"
> > > + add_param "$cfg" "msg_cache_size" "msg-cache-size"
> > > + add_param "$cfg" "msg_cache_slabs" "msg-cache-slabs"
> > > + add_param "$cfg" "rrset_cache_size" "rrset-cache-size"
> > > + add_param "$cfg" "rrset_cache_slabs" "rrset-cache-slabs"
> > > + add_param "$cfg" "infra_cache_numhosts" "infra-cache-numhosts"
> > > + add_param "$cfg" "infra_cache_slabs" "infra-cache-slabs"
> > > + add_param "$cfg" "key_cache_size" "key-cache-size"
> > > + add_param "$cfg" "key_cache_slabs" "key-cache-slabs"
> > > + add_param "$cfg" "neg_cache_size" "neg-cache-size"
> > > + add_param "$cfg" "num_queries_per_thread"
> > > "num-queries-per-thread"
> > > + add_param "$cfg" "target_fetch_policy" "target-fetch-policy"
> > > + add_bool "$cfg" "harden_large_queries" "harden-large-queries"
> > > + add_bool "$cfg" "harden_short_bufsize" "harden-short-bufsize"
> > > + fi
> > > +
> > > +
> > > +}
> > > +
> > > +add_remote() {
> > > + local cfg="$1"
> > > +
> > > + writeconf "remote-control"
> > > + add_bool "$cfg" "control_enable" "control-enable"
> > > + config_list_foreach "$cfg" "control_interface" add_list
> > > "control-interface"
> > > + add_param "$cfg" "control_port" "control-port"
> > > + add_param "$cfg" "server_key_file" "server-key-file"
> > > + add_param "$cfg" "server_cert_file" "server-cert-file"
> > > + add_param "$cfg" "control_key_file" "control-key-file"
> > > + add_param "$cfg" "control_cert_file" "control-cert-file"
> > > +}
> > > +
> > > +add_list() {
> > > + local value="$1"
> > > + local config="$2"
> > > + writeconf "$config" "$value"
> > > +}
> > > +
> > > +add_access() {
> > > + local cfg="$1"
> > > +
> > > + config_get tmpip "$cfg" ipaddr
> > > + [ -z "$tmpip" ] && return 0
> > > +
> > > + config_get tmppolicy "$cfg" policy
> > > + [ -z "$tmppolicy" ] && return 0
> > > +
> > > + writeconf "access-control" "$tmpip" "$tmppolicy"
> > > +}
> > > +
> > > +add_zone() {
> > > + local cfg="$1"
> > > +
> > > + config_get tmpname "$cfg" name
> > > + [ -z "$tmpname" ] && return 0
> > > +
> > > + config_get tmptype "$cfg" type "static"
> > > +
> > > + writeconf "local-zone" "$tmpname." "$tmptype"
> > > +}
> > > +
> > > +add_host() {
> > > + local cfg="$1"
> > > +
> > > + config_get tmpname "$cfg" name
> > > + [ -z "$tmpname" ] && return 0
> > > +
> > > + config_get tmpip "$cfg" ipaddr
> > > + if [ -n $tmpip ]; then
> > > + writeconf "local-data" "${tmpname}. IN A ${tmpip}"
> > > + writeconf "local-data-ptr" "${tmpip} ${tmpname}."
> > > + fi
> > > +
> > > + config_get tmpip6 "$cfg" ip6addr
> > > + if [ -n $tmpip6 ]; then
> > > + writeconf "local-data" "${tmpname}. IN AAAA ${tmpip6}"
> > > + writeconf "local-data-ptr" "${tmpip6} ${tmpname}."
> > > + fi
> > > +}
> > > +
> > > +add_forward_stub() {
> > > + local cfg="$1"
> > > + local mode="$2"
> > > +
> > > + config_get tmpname "$cfg" "name"
> > > + if [ -z "$tmpname" ]; then
> > > + logger -t unbound "${mode} zone specified but no name provided!"
> > > + return 0
> > > + fi
> > > +
> > > + # should we use resolv.conf?
> > > + config_get_bool tmpval "$cfg" "useresolv" 0
> > > + if [ $tmpval -eq 1 ]; then
> > > + config_get tmpfile "$cfg" "resolvfile"
> > > + if [ -z "$tmpfile" ]; then
> > > + logger -t unbound "resolvfile not specified but
> > > \"useresolv\" enabled!"
> > > + return 0
> > > + else
> > > + if [ -s $tmpfile ]; then
> > > + tmpaddrs=$(grep nameserver ${tmpfile} | awk '{ print $2
> > > }')
> > > + fi
> > > + fi
> > > + else
> > > + config_get tmpaddrs "$cfg" "ipaddr"
> > > + config_get tmphosts "$cfg" "hostname"
> > > +
> > > + if [ -z "$tmpaddrs" ] && [ -z "$tmphosts" ]; then
> > > + logger -t unbound "No ipaddr or hostname specified!"
> > > + return 0
> > > + fi
> > > + fi
> > > +
> > > + writeconf "${mode}-zone"
> > > + writeconf "name" "$tmpname"
> > > +
> > > + for tmpaddr in $tmpaddrs
> > > + do
> > > + writeconf "${mode}-addr" "$tmpaddr"
> > > + done
> > > +
> > > + for tmphost in $tmphosts
> > > + do
> > > + writeconf "${mode}-host" "$tmphost"
> > > + done
> > > +
> > > + add_bool "$cfg" "${mode}_prime" "${mode}-prime"
> > > + add_bool "$cfg" "${mode}_first" "${mode}-first"
> > > +}
> > > +
> > > +start() {
> > > + config_load unbound
> > > +
> > > + mkdir -p $(dirname $CONFIGFILE)
> > > + echo "# Auto generated from /etc/config/unbound" > $CONFIGFILE
> > > +
> > > + config_foreach add_server server
> > > + config_foreach add_access access
> > > + config_foreach add_zone zone
> > > + config_foreach add_host host
> > > + config_foreach add_forward_stub forward "forward"
> > > + config_foreach add_forward_stub stub "stub"
> > > + config_foreach add_remote remote
> > > +
> > > + service_start /usr/sbin/unbound -c $CONFIGFILE
> > > +}
> > > +
> > > +stop() {
> > > + service_stop /usr/sbin/unbound
> > > +}
> > > +
> > > Index: net/unbound/patches/001-conf.patch
> > > ===================================================================
> > > --- net/unbound/patches/001-conf.patch (revision 36569)
> > > +++ net/unbound/patches/001-conf.patch (working copy)
> > > @@ -1,154 +0,0 @@
> > > ---- a/doc/example.conf.in
> > > -+++ b/doc/example.conf.in
> > > -@@ -38,6 +38,8 @@ server:
> > > - # interface: 192.0.2.154
> > > - # interface: 192.0.2.154 at 5003
> > > - # interface: 2001:DB8::5
> > > -+ interface: 0.0.0.0
> > > -+ interface: ::0
> > > -
> > > - # enable this feature to copy the source address of queries to
> > > reply.
> > > - # Socket options are not supported on all platforms. experimental.
> > > -@@ -57,6 +59,7 @@ server:
> > > - # port range that can be open simultaneously. About double the
> > > - # num-queries-per-thread, or, use as many as the OS will allow you.
> > > - # outgoing-range: 4096
> > > -+ outgoing-range: 60
> > > -
> > > - # permit unbound to use this port number or port range for
> > > - # making outgoing queries, using an outgoing interface.
> > > -@@ -71,9 +74,11 @@ server:
> > > -
> > > - # number of outgoing simultaneous tcp buffers to hold per thread.
> > > - # outgoing-num-tcp: 10
> > > -+ outgoing-num-tcp: 1
> > > -
> > > - # number of incoming simultaneous tcp buffers to hold per thread.
> > > - # incoming-num-tcp: 10
> > > -+ incoming-num-tcp: 1
> > > -
> > > - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
> > > - # 0 is system default. Use 4m to catch query spikes for busy
> > > servers.
> > > -@@ -90,18 +95,22 @@ server:
> > > - # buffer size for handling DNS data. No messages larger than this
> > > - # size can be sent or received, by UDP or TCP. In bytes.
> > > - # msg-buffer-size: 65552
> > > -+ msg-buffer-size: 8192
> > > -
> > > - # the amount of memory to use for the message cache.
> > > - # plain value in bytes or you can append k, m or G. default is
> > > "4Mb".
> > > - # msg-cache-size: 4m
> > > -+ msg-cache-size: 100k
> > > -
> > > - # the number of slabs to use for the message cache.
> > > - # the number of slabs must be a power of 2.
> > > - # more slabs reduce lock contention, but fragment memory usage.
> > > - # msg-cache-slabs: 4
> > > -+ msg-cache-slabs: 1
> > > -
> > > - # the number of queries that a thread gets to service.
> > > - # num-queries-per-thread: 1024
> > > -+ num-queries-per-thread: 30
> > > -
> > > - # if very busy, 50% queries run to completion, 50% get timeout in
> > > msec
> > > - # jostle-timeout: 200
> > > -@@ -109,11 +118,13 @@ server:
> > > - # the amount of memory to use for the RRset cache.
> > > - # plain value in bytes or you can append k, m or G. default is
> > > "4Mb".
> > > - # rrset-cache-size: 4m
> > > -+ rrset-cache-size: 100k
> > > -
> > > - # the number of slabs to use for the RRset cache.
> > > - # the number of slabs must be a power of 2.
> > > - # more slabs reduce lock contention, but fragment memory usage.
> > > - # rrset-cache-slabs: 4
> > > -+ rrset-cache-slabs: 1
> > > -
> > > - # the time to live (TTL) value lower bound, in seconds. Default 0.
> > > - # If more than an hour could easily give trouble due to stale data.
> > > -@@ -131,9 +142,11 @@ server:
> > > - # the number of slabs must be a power of 2.
> > > - # more slabs reduce lock contention, but fragment memory usage.
> > > - # infra-cache-slabs: 4
> > > -+ infra-cache-slabs: 1
> > > -
> > > - # the maximum number of hosts that are cached (roundtrip, EDNS,
> > > lame).
> > > - # infra-cache-numhosts: 10000
> > > -+ infra-cache-numhosts: 200
> > > -
> > > - # Enable IPv4, "yes" or "no".
> > > - # do-ip4: yes
> > > -@@ -164,6 +177,8 @@ server:
> > > - # access-control: ::0/0 refuse
> > > - # access-control: ::1 allow
> > > - # access-control: ::ffff:127.0.0.1 allow
> > > -+ access-control: 0.0.0.0/0 allow
> > > -+ access-control: ::0/0 allow
> > > -
> > > - # if given, a chroot(2) is done to the given directory.
> > > - # i.e. you can chroot to the working directory, for example,
> > > -@@ -194,6 +209,7 @@ server:
> > > - # and the given username is assumed. Default is user "unbound".
> > > - # If you give "" no privileges are dropped.
> > > - # username: "@UNBOUND_USERNAME@"
> > > -+ username: ""
> > > -
> > > - # the working directory. The relative files in this config are
> > > - # relative to this directory. If you give "" the working directory
> > > -@@ -216,10 +232,12 @@ server:
> > > -
> > > - # the pid file. Can be an absolute path outside of chroot/work dir.
> > > - # pidfile: "@UNBOUND_PIDFILE@"
> > > -+ pidfile: "/var/run/unbound.pid"
> > > -
> > > - # file to read root hints from.
> > > - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache
> > > - # root-hints: ""
> > > -+ root-hints: "/etc/unbound/named.cache"
> > > -
> > > - # enable to not answer id.server and hostname.bind queries.
> > > - # hide-identity: no
> > > -@@ -242,12 +260,15 @@ server:
> > > - # positive value: fetch that many targets opportunistically.
> > > - # Enclose the list of numbers between quotes ("").
> > > - # target-fetch-policy: "3 2 1 0 0"
> > > -+ target-fetch-policy: "2 1 0 0 0 0"
> > > -
> > > - # Harden against very small EDNS buffer sizes.
> > > - # harden-short-bufsize: no
> > > -+ harden-short-bufsize: yes
> > > -
> > > - # Harden against unseemly large queries.
> > > - # harden-large-queries: no
> > > -+ harden-large-queries: yes
> > > -
> > > - # Harden against out of zone rrsets, to avoid spoofing attempts.
> > > - # harden-glue: yes
> > > -@@ -328,7 +349,7 @@ server:
> > > - # you start unbound (i.e. in the system boot scripts). And enable:
> > > - # Please note usage of unbound-anchor root anchor is at your own
> > > risk
> > > - # and under the terms of our LICENSE (see that file in the source).
> > > -- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
> > > -+ auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"
> > > -
> > > - # File with DLV trusted keys. Same format as trust-anchor-file.
> > > - # There can be only one DLV configured, it is trusted from root
> > > down.
> > > -@@ -414,15 +435,18 @@ server:
> > > - # the amount of memory to use for the key cache.
> > > - # plain value in bytes or you can append k, m or G. default is
> > > "4Mb".
> > > - # key-cache-size: 4m
> > > -+ key-cache-size: 100k
> > > -
> > > - # the number of slabs to use for the key cache.
> > > - # the number of slabs must be a power of 2.
> > > - # more slabs reduce lock contention, but fragment memory usage.
> > > - # key-cache-slabs: 4
> > > -+ key-cache-slabs: 1
> > > -
> > > - # the amount of memory to use for the negative cache (used for DLV).
> > > - # plain value in bytes or you can append k, m or G. default is
> > > "1Mb".
> > > - # neg-cache-size: 1m
> > > -+ neg-cache-size: 10k
> > > -
> > > - # a number of locally served zones can be configured.
> > > - # local-zone: <zone> <type>
> > > Index: net/unbound/Makefile
> > > ===================================================================
> > > --- net/unbound/Makefile (revision 36569)
> > > +++ net/unbound/Makefile (working copy)
> > > @@ -8,12 +8,12 @@
> > > include $(TOPDIR)/rules.mk
> > >
> > > PKG_NAME:=unbound
> > > -PKG_VERSION:=1.4.17
> > > +PKG_VERSION:=1.4.20
> > > PKG_RELEASE:=1
> > >
> > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
> > > PKG_SOURCE_URL:=http://www.unbound.net/downloads
> > > -PKG_MD5SUM:=812d49064a78c92765970a1364736da7
> > > +PKG_MD5SUM:=1f2d0b490fd7928a708a326beda21948
> > >
> > > PKG_BUILD_DEPENDS:=libexpat
> > > PKG_BUILD_PARALLEL:=1
> > > @@ -133,9 +133,11 @@
> > > $(INSTALL_DIR) $(1)/etc/unbound
> > > $(INSTALL_CONF) \
> > > $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \
> > > - $(1)/etc/unbound/
> > > + $(1)/etc/unbound/unbound.conf.example
> > > $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/
> > > $(INSTALL_CONF) ./files/named.cache $(1)/etc/unbound/
> > > + $(INSTALL_DIR) $(1)/etc/config
> > > + $(INSTALL_CONF) ./files/unbound.conf $(1)/etc/config/unbound
> > > $(INSTALL_DIR) $(1)/etc/init.d
> > > $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound
> > > endef
> > > _______________________________________________
> > > openwrt-devel mailing list
> > > openwrt-devel at lists.openwrt.org
> > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
