Hi Stepan, Thanks for the feedback. See my comments inline with [adam]:
On May 14, 2013, at 8:00 AM, Stepan Henek <[email protected]> wrote: > Hello Adam, > > we were implementing the same thing as you were (ucifying unbound). > We put less uci attributes in our config files, so in this way our version is > more advanced. [adam] Any chance I could see the version you put together? I struggled with the best way to handle certain aspects of the config. Perhaps you have done it a better way? > > But there are also some things which you might want to consider: > > 1) reload() function is missing in your init script > I thing that calling stop() and start() functions flushes the cache of the > server which is something what you don't want when you want just reload the > configuration (e.g. when you are adding a zone). > We used something like this: > reload() { > > mkdir -p $(dirname "$CONFIGFILE") > > init_unbound > > local pidfile > config_get pidfile server pidfile > > if [ -f "$pidfile" ] ; then > kill -HUP $(cat "$pidfile") > fi > } [adam] I tried this and ran into two problems: 1. I'm running unbound as a non-root user. So in this regard, reloading unbound fails because the "unbound" user is not privileged to open ports, etc. 2. Using the "-c /path/to/config" option doesn't seem to be compatible with -HUP signal. When I sent -HUP to unbound it complained that it couldn't find /etc/unbound/unbound.conf, which is not the config I was using. Again, this may be because unbound drops privileges. > > 2) You are using just a single "include" parameter > > add_param "$cfg" "include" > I thing It would be better to include more than a single config path using > e.g. > So options such as: > > config unbound server > > list include_path "/etc/unbound/zone1.conf" > > list include_path "/etc/unbound/zone2.conf" > Are translated to > > include: "/etc/unbound/zone1.conf" > > include: "/etc/unbound/zone2.conf" [adam] I didn't get the impression from the unbound.conf man page that more than one include statement was allowed. Perhaps that was just an oversight with how I read it. This is a trivial change. > > Our goal is to have ucified unbound in the mainstream, so we could try to > push it as well. > > Cheers, > Stepan > > > Has anyone had a chance to look at this patch? If adjustments are needed > > please let me know and I'll work on getting them in. > > > > Thanks! > > Adam > > > > > > On May 6, 2013, at 10:44 PM, Adam Gensler <openwrt at kristenandadam.net> > > wrote: > > > > > The following patch does these things: > > > > > > 1. bumps unbound to version 1.4.20. > > > > > > 2. adds uci support via /etc/config/unbound. The entirety of unbound.conf > > > has been implemented here. > > > > > > 3. removes the existing patch which applied a memory optimized config to > > > /etc/unbound/unbound.conf. This has been migrated to /etc/config/unbound > > > as "option lowmem '1'" under "config server". This is the default. > > > Disabling "lowmem" opens up the relevant parameters for individual > > > tuning, if desired. > > > > > > 4. The other portions of the existing /etc/unbound/unbound.conf have been > > > migrated to the default /etc/config/unbound, yielding the same operation. > > > > > > 5. The old /etc/unbound/unbound.conf has been renamed to > > > /etc/unbound/unbound.conf.example to avoid confusion. > > > > > > This is my first attempt at a uci configuration port. Any feedback and/or > > > suggestions are greatly appreciated. > > > > > > Signed-off-by: Adam Gensler <openwrt at kristenandadam.net> > > > --- > > > > > > > > > Index: net/unbound/files/unbound.init > > > =================================================================== > > > --- net/unbound/files/unbound.init (revision 36569) > > > +++ net/unbound/files/unbound.init (working copy) > > > @@ -1,14 +1,355 @@ > > > #!/bin/sh /etc/rc.common > > > -#Copyright (C) 2010 Ondrej Caletka <o.caletka at sh.cvut.cz> > > > -START=61 > > > +# Copyright (C) 2007-2013 OpenWrt.org > > > > > > -start () { > > > - unbound > > > +START=60 > > > + > > > +SERVICE_USE_PID=1 > > > + > > > +CONFIGFILE="/var/etc/unbound.conf" > > > + > > > +writeconf() { > > > + local opt="$1" > > > + local val="$2" > > > + local extra="$3" > > > + > > > + # wrap values with spaces or / in quotes > > > + if [ `echo $val | grep -c "[.[:space:]/]"` -gt 0 ]; then > > > + val="\"$val\"" > > > + fi > > > + > > > + if [ -z "$val" ]; then > > > + echo "${opt}: ${val} ${extra}" >> $CONFIGFILE > > > + else > > > + echo " ${opt}: ${val} ${extra}" >> $CONFIGFILE > > > + fi > > > } > > > > > > -stop () { > > > - PIDFILE='/var/run/unbound.pid' > > > - if [ -f $PIDFILE ] ; then > > > - kill $(cat $PIDFILE) > > > +add_bool() { > > > + local section="$1" > > > + local option="$2" > > > + > > > + if [ -z "$3" ]; then > > > + local config="$2" > > > + else > > > + local config="$3" > > > fi > > > + > > > + config_get value "$section" "$option" > > > + [ -z "$value" ] && return 0 > > > + > > > + if [ "$value" -eq 0 ]; then > > > + value="no" > > > + elif [ "$value" -eq 1 ]; then > > > + value="yes" > > > + else > > > + return 0 > > > + fi > > > + > > > + writeconf "$config" "$value" > > > } > > > + > > > +add_param() { > > > + local section="$1" > > > + local option="$2" > > > + > > > + if [ -z "$3" ]; then > > > + local config="$2" > > > + else > > > + local config="$3" > > > + fi > > > + > > > + config_get value "$section" "$option" > > > + [ -z "$value" ] && return 0 > > > + > > > + writeconf "$config" "$value" > > > +} > > > + > > > +add_server() { > > > + local cfg="$1" > > > + > > > + add_param "$cfg" "include" > > > + > > > + writeconf "server" > > > + add_param "$cfg" "verbosity" > > > + add_param "$cfg" "statistics_interval" "statistics-interval" > > > + add_bool "$cfg" "statistics_cumulative" "statistics-cumulative" > > > + add_bool "$cfg" "extended_statistics" "extended-statistics" > > > + add_param "$cfg" "port" > > > + config_list_foreach "$cfg" "interface" add_list "interface" > > > + add_param "$cfg" "interface_automatic" "interface-automatic" > > > + config_list_foreach "$cfg" "outgoing_interface" add_list > > > "outgoing-interface" > > > + add_param "$cfg" "outgoing_port_permit" "outgoing-port-permit" > > > + add_param "$cfg" "outgoing_port_avoid" "outgoing-port-avoid" > > > + add_param "$cfg" "edns_buffer_size" "edns-buffer-size" > > > + add_param "$cfg" "jostle_timeout" "jostle-timeout" > > > + add_param "$cfg" "so_rcvbuf" "so-rcvbuf" > > > + add_param "$cfg" "so_sndbuf" "so-sndbuf" > > > + add_param "$cfg" "cache_min_ttl" "cache-min-ttl" > > > + add_param "$cfg" "cache_max_ttl" "cache-max-ttl" > > > + add_param "$cfg" "infra_host_ttl" "infra-host-ttl" > > > + add_bool "$cfg" "do_ip4" "do-ip4" > > > + add_bool "$cfg" "do_ip6" "do-ip6" > > > + add_bool "$cfg" "do_udp" "do-udp" > > > + add_bool "$cfg" "do_tcp" "do-tcp" > > > + add_bool "$cfg" "tcp_upstream" "tcp-upstream" > > > + add_bool "$cfg" "ssl_upstream" "ssl-upstream" > > > + add_param "$cfg" "ssl_service_key" "ssl-service-key" > > > + add_param "$cfg" "ssl_service_pem" "ssl-service-pem" > > > + add_param "$cfg" "ssl_port" "ssl-port" > > > + add_bool "$cfg" "do_daemonize" "do-daemonize" > > > + add_param "$cfg" "chroot" > > > + add_param "$cfg" "username" > > > + add_param "$cfg" "directory" > > > + add_param "$cfg" "logfile" > > > + add_bool "$cfg" "use_syslog" "use-syslog" > > > + add_bool "$cfg" "log_time_ascii" "log-time-ascii" > > > + add_bool "$cfg" "log_queries" "log-queries" > > > + config_get tmpval "$cfg" pidfile "/var/run/unbound.pid" > > > + writeconf "pidfile" "$tmpval" > > > + > > > + config_get tmpfile "$cfg" "root_hints" > > > + if [ ! -z "$tmpfile" ]; then > > > + if [ -s $tmpfile ]; then > > > + writeconf "root-hints" "$tmpfile" > > > + else > > > + logger -t unbound "Using built-in root-hints list, this may > > > be out of date." > > > + fi > > > + fi > > > + > > > + add_bool "$cfg" "hide_identity" "hide-identity" > > > + add_param "$cfg" "identity" > > > + add_bool "$cfg" "hide_version" "hide-version" > > > + add_param "$cfg" "version" > > > + add_bool "$cfg" "harden_glue" "harden-glue" > > > + add_bool "$cfg" "harden_dnssec_stripped" "harden-dnssec-stripped" > > > + add_bool "$cfg" "harden_below_nxdomain" "harden-below-nxdomain" > > > + add_bool "$cfg" "harden_referral_path" "harden-referral-path" > > > + add_bool "$cfg" "use_caps_for_id" "use-caps-for-id" > > > + config_list_foreach "$cfg" "private_address" add_list > > > "private-address" > > > + config_list_foreach "$cfg" "private_domain" add_list "private-domain" > > > + add_param "$cfg" "unwanted_reply_threshold" > > > "unwanted-reply-threshold" > > > + add_param "$cfg" "do_not_query_address" "do-not-query-address" > > > + add_bool "$cfg" "do_not_query_localhost" "do-not-query-localhost" > > > + add_bool "$cfg" "prefetch" > > > + add_bool "$cfg" "prefetch_key" "prefetch-key" > > > + add_bool "$cfg" "rrset_roundrobin" "rrset-roundrobin" > > > + add_bool "$cfg" "minimal_responses" "minimal-responses" > > > + add_param "$cfg" "module_config" "module-config" > > > + add_param "$cfg" "trust_anchor_file" "trust-anchor-file" > > > + > > > + # make sure the root.key file exists > > > + config_get tmpval "$cfg" "root_key" > > > + if [ -n $tmpval ]; then > > > + if [ ! -e "$tmpval" ] || [ ! -s "$tmpval" ]; then > > > + getanchor=`which unbound-anchor` > > > + if [ -n "$getanchor" ]; then > > > + logger -t unbound "Anchor file is missing, attempting to > > > create one." > > > + $getanchor -a "$tmpval" > > > + if [ -s "$tmpval" ]; then > > > + logger -t unbound "Anchor file created, will attempt > > > to use it." > > > + writeconf "auto-trust-anchor-file" > > > "/etc/unbound/root.key" > > > + else > > > + logger -t unbound "Unable to create anchor file, > > > dnssec will not be validated!" > > > + fi > > > + else > > > + logger -t unbound "Unable to locate or empty root key > > > file, $tmpval, dnssec will not be validated!" > > > + fi > > > + else > > > + writeconf "auto-trust-anchor-file" "/etc/unbound/root.key" > > > + fi > > > + fi > > > + > > > + add_param "$cfg" "trust_anchor" "trust-anchor" > > > + add_param "$cfg" "trusted_keys_file" "trusted-keys-file" > > > + add_param "$cfg" "dlv_anchor_file" "dlv-anchor-file" > > > + add_param "$cfg" "dlv_anchor" "dlv-anchor" > > > + config_list_foreach "$cfg" "domain_insecure" add_list > > > "domain-insecure" > > > + add_param "$cfg" "val_override_date" "val-override-date" > > > + add_param "$cfg" "val_sig_skew_min" "val-sig-skew-min" > > > + add_param "$cfg" "val_sig_skew_max" "val-sig-skew-max" > > > + add_param "$cfg" "val_bogus_ttl" "val-bogus-ttl" > > > + add_bool "$cfg" "val_clean_additional" "val-clean-additional" > > > + add_param "$cfg" "val_log_level" "val-log-level" > > > + add_bool "$cfg" "val_permissive_mode" "val-permissive-mode" > > > + add_bool "$cfg" "ignore_cd_flag" "ignore-cd-flag" > > > + add_param "$cfg" "val_nsec3_keysize_iterations" > > > "val-nsec3-keysize-iterations" > > > + add_param "$cfg" "add_holddown" "add-holddown" > > > + add_param "$cfg" "del_holddown" "del-holddown" > > > + add_param "$cfg" "keep_missing" "keep-missing" > > > + > > > + # check to see if unbound should run with low memory optimizations > > > + config_get_bool lowmem "$cfg" "lowmem" 1 > > > + if [ $lowmem -eq 1 ]; then > > > + writeconf "num-threads" "1" > > > + writeconf "outgoing-num-tcp" "1" > > > + writeconf "incoming-num-tcp" "1" > > > + writeconf "outgoing-range" "60" > > > + writeconf "msg-buffer-size" "8192" > > > + writeconf "msg-cache-size" "100k" > > > + writeconf "msg-cache-slabs" "1" > > > + writeconf "rrset-cache-size" "100k" > > > + writeconf "rrset-cache-slabs" "1" > > > + writeconf "infra-cache-numhosts" "200" > > > + writeconf "infra-cache-slabs" "1" > > > + writeconf "key-cache-size" "100k" > > > + writeconf "key-cache-slabs" "1" > > > + writeconf "neg-cache-size" "10k" > > > + writeconf "num-queries-per-thread" "30" > > > + writeconf "target-fetch-policy" "2 1 0 0 0 0" > > > + writeconf "harden-large-queries" "yes" > > > + writeconf "harden-short-bufsize" "yes" > > > + else > > > + add_param "$cfg" "num_threads" "num-threads" > > > + add_param "$cfg" "outgoing_num_tcp" "outgoing-num-tcp" > > > + add_param "$cfg" "incoming_num_tcp" "incoming-num-tcp" > > > + add_param "$cfg" "outgoing_range" "outgoing-range" > > > + add_param "$cfg" "msg_buffer_size" "msg-buffer-size" > > > + add_param "$cfg" "msg_cache_size" "msg-cache-size" > > > + add_param "$cfg" "msg_cache_slabs" "msg-cache-slabs" > > > + add_param "$cfg" "rrset_cache_size" "rrset-cache-size" > > > + add_param "$cfg" "rrset_cache_slabs" "rrset-cache-slabs" > > > + add_param "$cfg" "infra_cache_numhosts" "infra-cache-numhosts" > > > + add_param "$cfg" "infra_cache_slabs" "infra-cache-slabs" > > > + add_param "$cfg" "key_cache_size" "key-cache-size" > > > + add_param "$cfg" "key_cache_slabs" "key-cache-slabs" > > > + add_param "$cfg" "neg_cache_size" "neg-cache-size" > > > + add_param "$cfg" "num_queries_per_thread" > > > "num-queries-per-thread" > > > + add_param "$cfg" "target_fetch_policy" "target-fetch-policy" > > > + add_bool "$cfg" "harden_large_queries" "harden-large-queries" > > > + add_bool "$cfg" "harden_short_bufsize" "harden-short-bufsize" > > > + fi > > > + > > > + > > > +} > > > + > > > +add_remote() { > > > + local cfg="$1" > > > + > > > + writeconf "remote-control" > > > + add_bool "$cfg" "control_enable" "control-enable" > > > + config_list_foreach "$cfg" "control_interface" add_list > > > "control-interface" > > > + add_param "$cfg" "control_port" "control-port" > > > + add_param "$cfg" "server_key_file" "server-key-file" > > > + add_param "$cfg" "server_cert_file" "server-cert-file" > > > + add_param "$cfg" "control_key_file" "control-key-file" > > > + add_param "$cfg" "control_cert_file" "control-cert-file" > > > +} > > > + > > > +add_list() { > > > + local value="$1" > > > + local config="$2" > > > + writeconf "$config" "$value" > > > +} > > > + > > > +add_access() { > > > + local cfg="$1" > > > + > > > + config_get tmpip "$cfg" ipaddr > > > + [ -z "$tmpip" ] && return 0 > > > + > > > + config_get tmppolicy "$cfg" policy > > > + [ -z "$tmppolicy" ] && return 0 > > > + > > > + writeconf "access-control" "$tmpip" "$tmppolicy" > > > +} > > > + > > > +add_zone() { > > > + local cfg="$1" > > > + > > > + config_get tmpname "$cfg" name > > > + [ -z "$tmpname" ] && return 0 > > > + > > > + config_get tmptype "$cfg" type "static" > > > + > > > + writeconf "local-zone" "$tmpname." "$tmptype" > > > +} > > > + > > > +add_host() { > > > + local cfg="$1" > > > + > > > + config_get tmpname "$cfg" name > > > + [ -z "$tmpname" ] && return 0 > > > + > > > + config_get tmpip "$cfg" ipaddr > > > + if [ -n $tmpip ]; then > > > + writeconf "local-data" "${tmpname}. IN A ${tmpip}" > > > + writeconf "local-data-ptr" "${tmpip} ${tmpname}." > > > + fi > > > + > > > + config_get tmpip6 "$cfg" ip6addr > > > + if [ -n $tmpip6 ]; then > > > + writeconf "local-data" "${tmpname}. IN AAAA ${tmpip6}" > > > + writeconf "local-data-ptr" "${tmpip6} ${tmpname}." > > > + fi > > > +} > > > + > > > +add_forward_stub() { > > > + local cfg="$1" > > > + local mode="$2" > > > + > > > + config_get tmpname "$cfg" "name" > > > + if [ -z "$tmpname" ]; then > > > + logger -t unbound "${mode} zone specified but no name provided!" > > > + return 0 > > > + fi > > > + > > > + # should we use resolv.conf? > > > + config_get_bool tmpval "$cfg" "useresolv" 0 > > > + if [ $tmpval -eq 1 ]; then > > > + config_get tmpfile "$cfg" "resolvfile" > > > + if [ -z "$tmpfile" ]; then > > > + logger -t unbound "resolvfile not specified but > > > \"useresolv\" enabled!" > > > + return 0 > > > + else > > > + if [ -s $tmpfile ]; then > > > + tmpaddrs=$(grep nameserver ${tmpfile} | awk '{ print $2 > > > }') > > > + fi > > > + fi > > > + else > > > + config_get tmpaddrs "$cfg" "ipaddr" > > > + config_get tmphosts "$cfg" "hostname" > > > + > > > + if [ -z "$tmpaddrs" ] && [ -z "$tmphosts" ]; then > > > + logger -t unbound "No ipaddr or hostname specified!" > > > + return 0 > > > + fi > > > + fi > > > + > > > + writeconf "${mode}-zone" > > > + writeconf "name" "$tmpname" > > > + > > > + for tmpaddr in $tmpaddrs > > > + do > > > + writeconf "${mode}-addr" "$tmpaddr" > > > + done > > > + > > > + for tmphost in $tmphosts > > > + do > > > + writeconf "${mode}-host" "$tmphost" > > > + done > > > + > > > + add_bool "$cfg" "${mode}_prime" "${mode}-prime" > > > + add_bool "$cfg" "${mode}_first" "${mode}-first" > > > +} > > > + > > > +start() { > > > + config_load unbound > > > + > > > + mkdir -p $(dirname $CONFIGFILE) > > > + echo "# Auto generated from /etc/config/unbound" > $CONFIGFILE > > > + > > > + config_foreach add_server server > > > + config_foreach add_access access > > > + config_foreach add_zone zone > > > + config_foreach add_host host > > > + config_foreach add_forward_stub forward "forward" > > > + config_foreach add_forward_stub stub "stub" > > > + config_foreach add_remote remote > > > + > > > + service_start /usr/sbin/unbound -c $CONFIGFILE > > > +} > > > + > > > +stop() { > > > + service_stop /usr/sbin/unbound > > > +} > > > + > > > Index: net/unbound/patches/001-conf.patch > > > =================================================================== > > > --- net/unbound/patches/001-conf.patch (revision 36569) > > > +++ net/unbound/patches/001-conf.patch (working copy) > > > @@ -1,154 +0,0 @@ > > > ---- a/doc/example.conf.in > > > -+++ b/doc/example.conf.in > > > -@@ -38,6 +38,8 @@ server: > > > - # interface: 192.0.2.154 > > > - # interface: 192.0.2.154 at 5003 > > > - # interface: 2001:DB8::5 > > > -+ interface: 0.0.0.0 > > > -+ interface: ::0 > > > - > > > - # enable this feature to copy the source address of queries to > > > reply. > > > - # Socket options are not supported on all platforms. experimental. > > > -@@ -57,6 +59,7 @@ server: > > > - # port range that can be open simultaneously. About double the > > > - # num-queries-per-thread, or, use as many as the OS will allow you. > > > - # outgoing-range: 4096 > > > -+ outgoing-range: 60 > > > - > > > - # permit unbound to use this port number or port range for > > > - # making outgoing queries, using an outgoing interface. > > > -@@ -71,9 +74,11 @@ server: > > > - > > > - # number of outgoing simultaneous tcp buffers to hold per thread. > > > - # outgoing-num-tcp: 10 > > > -+ outgoing-num-tcp: 1 > > > - > > > - # number of incoming simultaneous tcp buffers to hold per thread. > > > - # incoming-num-tcp: 10 > > > -+ incoming-num-tcp: 1 > > > - > > > - # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). > > > - # 0 is system default. Use 4m to catch query spikes for busy > > > servers. > > > -@@ -90,18 +95,22 @@ server: > > > - # buffer size for handling DNS data. No messages larger than this > > > - # size can be sent or received, by UDP or TCP. In bytes. > > > - # msg-buffer-size: 65552 > > > -+ msg-buffer-size: 8192 > > > - > > > - # the amount of memory to use for the message cache. > > > - # plain value in bytes or you can append k, m or G. default is > > > "4Mb". > > > - # msg-cache-size: 4m > > > -+ msg-cache-size: 100k > > > - > > > - # the number of slabs to use for the message cache. > > > - # the number of slabs must be a power of 2. > > > - # more slabs reduce lock contention, but fragment memory usage. > > > - # msg-cache-slabs: 4 > > > -+ msg-cache-slabs: 1 > > > - > > > - # the number of queries that a thread gets to service. > > > - # num-queries-per-thread: 1024 > > > -+ num-queries-per-thread: 30 > > > - > > > - # if very busy, 50% queries run to completion, 50% get timeout in > > > msec > > > - # jostle-timeout: 200 > > > -@@ -109,11 +118,13 @@ server: > > > - # the amount of memory to use for the RRset cache. > > > - # plain value in bytes or you can append k, m or G. default is > > > "4Mb". > > > - # rrset-cache-size: 4m > > > -+ rrset-cache-size: 100k > > > - > > > - # the number of slabs to use for the RRset cache. > > > - # the number of slabs must be a power of 2. > > > - # more slabs reduce lock contention, but fragment memory usage. > > > - # rrset-cache-slabs: 4 > > > -+ rrset-cache-slabs: 1 > > > - > > > - # the time to live (TTL) value lower bound, in seconds. Default 0. > > > - # If more than an hour could easily give trouble due to stale data. > > > -@@ -131,9 +142,11 @@ server: > > > - # the number of slabs must be a power of 2. > > > - # more slabs reduce lock contention, but fragment memory usage. > > > - # infra-cache-slabs: 4 > > > -+ infra-cache-slabs: 1 > > > - > > > - # the maximum number of hosts that are cached (roundtrip, EDNS, > > > lame). > > > - # infra-cache-numhosts: 10000 > > > -+ infra-cache-numhosts: 200 > > > - > > > - # Enable IPv4, "yes" or "no". > > > - # do-ip4: yes > > > -@@ -164,6 +177,8 @@ server: > > > - # access-control: ::0/0 refuse > > > - # access-control: ::1 allow > > > - # access-control: ::ffff:127.0.0.1 allow > > > -+ access-control: 0.0.0.0/0 allow > > > -+ access-control: ::0/0 allow > > > - > > > - # if given, a chroot(2) is done to the given directory. > > > - # i.e. you can chroot to the working directory, for example, > > > -@@ -194,6 +209,7 @@ server: > > > - # and the given username is assumed. Default is user "unbound". > > > - # If you give "" no privileges are dropped. > > > - # username: "@UNBOUND_USERNAME@" > > > -+ username: "" > > > - > > > - # the working directory. The relative files in this config are > > > - # relative to this directory. If you give "" the working directory > > > -@@ -216,10 +232,12 @@ server: > > > - > > > - # the pid file. Can be an absolute path outside of chroot/work dir. > > > - # pidfile: "@UNBOUND_PIDFILE@" > > > -+ pidfile: "/var/run/unbound.pid" > > > - > > > - # file to read root hints from. > > > - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache > > > - # root-hints: "" > > > -+ root-hints: "/etc/unbound/named.cache" > > > - > > > - # enable to not answer id.server and hostname.bind queries. > > > - # hide-identity: no > > > -@@ -242,12 +260,15 @@ server: > > > - # positive value: fetch that many targets opportunistically. > > > - # Enclose the list of numbers between quotes (""). > > > - # target-fetch-policy: "3 2 1 0 0" > > > -+ target-fetch-policy: "2 1 0 0 0 0" > > > - > > > - # Harden against very small EDNS buffer sizes. > > > - # harden-short-bufsize: no > > > -+ harden-short-bufsize: yes > > > - > > > - # Harden against unseemly large queries. > > > - # harden-large-queries: no > > > -+ harden-large-queries: yes > > > - > > > - # Harden against out of zone rrsets, to avoid spoofing attempts. > > > - # harden-glue: yes > > > -@@ -328,7 +349,7 @@ server: > > > - # you start unbound (i.e. in the system boot scripts). And enable: > > > - # Please note usage of unbound-anchor root anchor is at your own > > > risk > > > - # and under the terms of our LICENSE (see that file in the source). > > > -- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" > > > -+ auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" > > > - > > > - # File with DLV trusted keys. Same format as trust-anchor-file. > > > - # There can be only one DLV configured, it is trusted from root > > > down. > > > -@@ -414,15 +435,18 @@ server: > > > - # the amount of memory to use for the key cache. > > > - # plain value in bytes or you can append k, m or G. default is > > > "4Mb". > > > - # key-cache-size: 4m > > > -+ key-cache-size: 100k > > > - > > > - # the number of slabs to use for the key cache. > > > - # the number of slabs must be a power of 2. > > > - # more slabs reduce lock contention, but fragment memory usage. > > > - # key-cache-slabs: 4 > > > -+ key-cache-slabs: 1 > > > - > > > - # the amount of memory to use for the negative cache (used for DLV). > > > - # plain value in bytes or you can append k, m or G. default is > > > "1Mb". > > > - # neg-cache-size: 1m > > > -+ neg-cache-size: 10k > > > - > > > - # a number of locally served zones can be configured. > > > - # local-zone: <zone> <type> > > > Index: net/unbound/Makefile > > > =================================================================== > > > --- net/unbound/Makefile (revision 36569) > > > +++ net/unbound/Makefile (working copy) > > > @@ -8,12 +8,12 @@ > > > include $(TOPDIR)/rules.mk > > > > > > PKG_NAME:=unbound > > > -PKG_VERSION:=1.4.17 > > > +PKG_VERSION:=1.4.20 > > > PKG_RELEASE:=1 > > > > > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz > > > PKG_SOURCE_URL:=http://www.unbound.net/downloads > > > -PKG_MD5SUM:=812d49064a78c92765970a1364736da7 > > > +PKG_MD5SUM:=1f2d0b490fd7928a708a326beda21948 > > > > > > PKG_BUILD_DEPENDS:=libexpat > > > PKG_BUILD_PARALLEL:=1 > > > @@ -133,9 +133,11 @@ > > > $(INSTALL_DIR) $(1)/etc/unbound > > > $(INSTALL_CONF) \ > > > $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ > > > - $(1)/etc/unbound/ > > > + $(1)/etc/unbound/unbound.conf.example > > > $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/ > > > $(INSTALL_CONF) ./files/named.cache $(1)/etc/unbound/ > > > + $(INSTALL_DIR) $(1)/etc/config > > > + $(INSTALL_CONF) ./files/unbound.conf $(1)/etc/config/unbound > > > $(INSTALL_DIR) $(1)/etc/init.d > > > $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound > > > endef > > > _______________________________________________ > > > openwrt-devel mailing list > > > openwrt-devel at lists.openwrt.org > > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel > _______________________________________________ > openwrt-devel mailing list > [email protected] > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
