On 2017/11/08 16:53, Vinícius Zavam wrote:
> " -R, --resolver-name=<name>: name of the resolver to use, from the
> list of available resolvers (see -L). Or random for a random
> resolver accessible over IPv4, that doesn't log and supports
> DNSSEC "
> Index: net/dnscrypt-proxy/Makefile
> ===================================================================
> RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
> retrieving revision 1.31
> diff -u -a -r1.31 Makefile
> --- net/dnscrypt-proxy/Makefile 2 Aug 2017 09:32:40 -0000 1.31
> +++ net/dnscrypt-proxy/Makefile 8 Nov 2017 16:39:28 -0000
> @@ -4,14 +4,15 @@
> COMMENT-plugins= example plugins for dnscrypt-proxy
>
> V= 1.9.5
> +REVISION-main= 1
start with 0
> +
> DISTNAME= dnscrypt-proxy-${V}
> PKGNAME-main= dnscrypt-proxy-${V}
> PKGNAME-plugins= dnscrypt-proxy-plugins-${V}
>
> CATEGORIES= net
>
> -MASTER_SITES= https://download.dnscrypt.org/dnscrypt-proxy/ \
> - https://download.dnscrypt.org/dnscrypt-proxy/old/
> +MASTER_SITES= https://download.dnscrypt.org/dnscrypt-proxy/
don't remove this, it's harmless for now, and keeps the port working
in the future if 1.9.5 moves to old/.
> -DNSCrypt does _not_ cache queries, so the recommended way to use it is
> -as a forwarder for a DNS cache like Unbound. The following unbound.conf
> -example may be used as a guideline:
> +DNSCrypt does _not_ cache queries, so the recommended way to use it is to
> forward
> +queries and combine it with any DNS caching software like Unbound.
> +The following unbound.conf example may be used as a guideline:
original line-wrapping flows better.
> server:
> - interface: 127.0.0.1
> - interface: 192.168.1.1 # additional addresses to listen on
> - access-control: 192.168.1.0/24 allow # who's allowed to make queries
> + interface: 127.0.0.1
> + # interface: 192.168.1.1 # additional addresses to
> listen on
> + # access-control: 192.168.1.0/24 allow # who's allowed to make queries
> do-not-query-localhost: no
> - hide-identity: yes
> - hide-version: yes
> + hide-identity: yes
> + hide-version: yes
>
> forward-zone:
> name: "."
> - forward-addr: 127.0.0.1@40
> - #forward-addr: 127.0.0.1@41 # example failover server, see below
> + forward-addr: 127.0.0.1@5301
> + # forward-addr: 127.0.0.1@5302 # example failover server,
> see below
needless shuffling of whitespace.
is there a particular reason to change ports?
> A list of resolvers providing DNSCrypt service is available at
> ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
> -Choose one (there is no default) and configure it, for example:
> +This package picks a random resolver from its resolvers list. A random
> resolver
> +supposedly doesn't keep logs, and supports DNSSEC, says the manpage.
> +
> +If you want to configure ${FULLPKGNAME} with a custom resolver, here is an
> example:
>
> rcctl enable dnscrypt_proxy
> -rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
> +rcctl set dnscrypt_proxy flags -E -m1 -R random -a 127.0.0.1:5301
the old one was an example of using a custom resolver - the new one is an
example
of using a random resolver.
> rcctl start dnscrypt_proxy
>
> The dnscrypt-proxy utility does not support failover resolvers; as described
> @@ -43,7 +46,8 @@
>
> ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
> rcctl enable dnscrypt_proxy2
> -rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41
> +rcctl set dnscrypt_proxy2 flags -E -m1 -R random -a 127.0.0.1:5302
> rcctl start dnscrypt_proxy2
>
> For more information, see https://dnscrypt.org/
> +
needless whitespace at eol.
> Index: net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc
> ===================================================================
> RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc,v
> retrieving revision 1.3
> diff -u -a -r1.3 dnscrypt_proxy.rc
> --- net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 4 Feb 2016 14:29:25 -0000
> 1.3
> +++ net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 8 Nov 2017 16:39:28 -0000
> @@ -4,6 +4,10 @@
>
> daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy"
>
> +# defaults to use a random resolver;
> +# supposedly doesn't keep logs, and supports DNSSEC.
> +daemon_flags="-R random"
> +
> . /etc/rc.d/rc.subr
>
> rc_reload=NO
I don't think we should do this. Better if it's a conscious decision
as whoever you're resolving from is in a very trusted position. The only
change along these lines that I'd consider is adding a mention of "-R
random" in the README as an alternative to selecting a specific resolver..
