2017-11-08 18:31 GMT+00:00 Stuart Henderson <[email protected]>:
>
hi stu,
tyvm for your feedback and comments about it. very appreciated!
a new version of the patch is attached.
> On 2017/11/08 16:53, Vinícius Zavam wrote:
> > " -R, --resolver-name=<name>: name of the resolver to use, from the
> > list of available resolvers (see -L). Or random for a random
> > resolver accessible over IPv4, that doesn't log and supports
> > DNSSEC "
>
> > Index: net/dnscrypt-proxy/Makefile
> > ===================================================================
> > RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
> > retrieving revision 1.31
> > diff -u -a -r1.31 Makefile
> > --- net/dnscrypt-proxy/Makefile 2 Aug 2017 09:32:40 -0000
1.31
> > +++ net/dnscrypt-proxy/Makefile 8 Nov 2017 16:39:28 -0000
> > @@ -4,14 +4,15 @@
> > COMMENT-plugins= example plugins for dnscrypt-proxy
> >
> > V= 1.9.5
> > +REVISION-main= 1
>
> start with 0
>
done.
> > +
> > DISTNAME= dnscrypt-proxy-${V}
> > PKGNAME-main= dnscrypt-proxy-${V}
> > PKGNAME-plugins= dnscrypt-proxy-plugins-${V}
> >
> > CATEGORIES= net
> >
> > -MASTER_SITES=
https://download.dnscrypt.org/dnscrypt-proxy/ \
> > - https://download.dnscrypt.org/dnscrypt-proxy/old/
> > +MASTER_SITES=
https://download.dnscrypt.org/dnscrypt-proxy/
>
> don't remove this, it's harmless for now, and keeps the port working
> in the future if 1.9.5 moves to old/.
>
done.
> > -DNSCrypt does _not_ cache queries, so the recommended way to use it is
> > -as a forwarder for a DNS cache like Unbound. The following unbound.conf
> > -example may be used as a guideline:
> > +DNSCrypt does _not_ cache queries, so the recommended way to use it is
to forward
> > +queries and combine it with any DNS caching software like Unbound.
> > +The following unbound.conf example may be used as a guideline:
>
> original line-wrapping flows better.
>
solved.
> > server:
> > - interface: 127.0.0.1
> > - interface: 192.168.1.1 # additional addresses to listen on
> > - access-control: 192.168.1.0/24 allow # who's allowed to make
queries
> > + interface: 127.0.0.1
> > + # interface: 192.168.1.1 # additional addresses to
listen on
> > + # access-control: 192.168.1.0/24 allow # who's allowed to make
queries
> > do-not-query-localhost: no
> > - hide-identity: yes
> > - hide-version: yes
> > + hide-identity: yes
> > + hide-version: yes
> >
> > forward-zone:
> > name: "."
> > - forward-addr: 127.0.0.1@40
> > - #forward-addr: 127.0.0.1@41 # example failover server, see below
> > + forward-addr: 127.0.0.1@5301
> > + # forward-addr: 127.0.0.1@5302 # example failover
server, see below
>
> needless shuffling of whitespace.
>
a e s t h e t i c
> is there a particular reason to change ports?
>
grep listening ports, I'd say (1024+ ports does not play a good reason
though?).
> > A list of resolvers providing DNSCrypt service is available at
> > ${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
> > -Choose one (there is no default) and configure it, for example:
> > +This package picks a random resolver from its resolvers list. A random
resolver
> > +supposedly doesn't keep logs, and supports DNSSEC, says the manpage.
> > +
> > +If you want to configure ${FULLPKGNAME} with a custom resolver, here
is an example:
> >
> > rcctl enable dnscrypt_proxy
> > -rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
> > +rcctl set dnscrypt_proxy flags -E -m1 -R random -a 127.0.0.1:5301
>
> the old one was an example of using a custom resolver - the new one is an
example
> of using a random resolver.
>
good point,
so here I would recommend not to use a valid resolver name as example.
the users must pick a resolver name by themselves from the list.
> > rcctl start dnscrypt_proxy
> >
> > The dnscrypt-proxy utility does not support failover resolvers; as
described
> > @@ -43,7 +46,8 @@
> >
> > ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
> > rcctl enable dnscrypt_proxy2
> > -rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a
127.0.0.1:41
> > +rcctl set dnscrypt_proxy2 flags -E -m1 -R random -a 127.0.0.1:5302
> > rcctl start dnscrypt_proxy2
> >
> > For more information, see https://dnscrypt.org/
> > +
>
> needless whitespace at eol.
>
solved.
> > Index: net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc
> > ===================================================================
> > RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc,v
> > retrieving revision 1.3
> > diff -u -a -r1.3 dnscrypt_proxy.rc
> > --- net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 4 Feb 2016 14:29:25 -0000
1.3
> > +++ net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 8 Nov 2017 16:39:28 -0000
> > @@ -4,6 +4,10 @@
> >
> > daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy"
> >
> > +# defaults to use a random resolver;
> > +# supposedly doesn't keep logs, and supports DNSSEC.
> > +daemon_flags="-R random"
> > +
> > . /etc/rc.d/rc.subr
> >
> > rc_reload=NO
>
> I don't think we should do this. Better if it's a conscious decision
> as whoever you're resolving from is in a very trusted position. The only
> change along these lines that I'd consider is adding a mention of "-R
> random" in the README as an alternative to selecting a specific resolver..
>
I would still go for it, and suggest to use 'random'.
why? most people setting net/dnscrypt-proxy on OpenBSD would just use the
resolver shown at the example from pkg/README-main (that, of course,
includes OpenBSD developers and lots of people worried about privacy),
turning the setup pretty predictable* and also leading other available/good
DNSCrypt resolvers to be misused.
[*] for every reboot (or service restart, if you really want to) you would
use a new resolver.
--
Vinícius Zavam
keybase.io/egypcio/key.asc
Index: net/dnscrypt-proxy/Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.31
diff -u -a -r1.31 Makefile
--- net/dnscrypt-proxy/Makefile 2 Aug 2017 09:32:40 -0000 1.31
+++ net/dnscrypt-proxy/Makefile 9 Nov 2017 09:19:53 -0000
@@ -4,6 +4,8 @@
COMMENT-plugins= example plugins for dnscrypt-proxy
V= 1.9.5
+REVISION-main= 0
+
DISTNAME= dnscrypt-proxy-${V}
PKGNAME-main= dnscrypt-proxy-${V}
PKGNAME-plugins= dnscrypt-proxy-plugins-${V}
Index: net/dnscrypt-proxy/pkg/README-main
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/README-main,v
retrieving revision 1.8
diff -u -a -r1.8 README-main
--- net/dnscrypt-proxy/pkg/README-main 23 Jan 2017 18:00:23 -0000 1.8
+++ net/dnscrypt-proxy/pkg/README-main 9 Nov 2017 09:19:53 -0000
@@ -11,29 +11,32 @@
lookup file bind
options edns0
-DNSCrypt does _not_ cache queries, so the recommended way to use it is
-as a forwarder for a DNS cache like Unbound. The following unbound.conf
-example may be used as a guideline:
+DNSCrypt does _not_ cache queries, so the recommended way to use it is to
+forward queries and combine it with any DNS caching software like Unbound.
+The following unbound.conf example may be used as a guideline:
server:
- interface: 127.0.0.1
- interface: 192.168.1.1 # additional addresses to listen on
- access-control: 192.168.1.0/24 allow # who's allowed to make queries
- do-not-query-localhost: no
- hide-identity: yes
- hide-version: yes
+ interface: 127.0.0.1
+ # interface: 192.168.1.1 # additional addresses to listen on
+ # access-control: 192.168.1.0/24 allow # who's allowed to make queries
+ do-not-query-localhost: no
+ hide-identity: yes
+ hide-version: yes
forward-zone:
- name: "."
- forward-addr: 127.0.0.1@40
- #forward-addr: 127.0.0.1@41 # example failover server, see below
+ name: "."
+ forward-addr: 127.0.0.1@5301
+ # forward-addr: 127.0.0.1@5302 # example failover server, see below
A list of resolvers providing DNSCrypt service is available at
${TRUEPREFIX}/share/dnscrypt-proxy/dnscrypt-resolvers.csv.
-Choose one (there is no default) and configure it, for example:
+This package picks a random resolver from its resolvers list. A random resolver
+supposedly doesn't keep logs, and supports DNSSEC, says the manpage.
+
+If you want to configure it with a custom resolver, here is an example:
rcctl enable dnscrypt_proxy
-rcctl set dnscrypt_proxy flags -E -m1 -R dnscrypt.eu-nl -a 127.0.0.1:40
+rcctl set dnscrypt_proxy flags -E -m1 -R yourchoice -a 127.0.0.1:5301
rcctl start dnscrypt_proxy
The dnscrypt-proxy utility does not support failover resolvers; as described
@@ -43,7 +46,7 @@
ln -s dnscrypt_proxy /etc/rc.d/dnscrypt_proxy2
rcctl enable dnscrypt_proxy2
-rcctl set dnscrypt_proxy2 flags -E -m1 -R dnscrypt.eu-dk -a 127.0.0.1:41
+rcctl set dnscrypt_proxy2 flags -E -m1 -R yourchoice2 -a 127.0.0.1:5302
rcctl start dnscrypt_proxy2
For more information, see https://dnscrypt.org/
Index: net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc,v
retrieving revision 1.3
diff -u -a -r1.3 dnscrypt_proxy.rc
--- net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 4 Feb 2016 14:29:25 -0000 1.3
+++ net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc 9 Nov 2017 09:19:53 -0000
@@ -4,6 +4,10 @@
daemon="${TRUEPREFIX}/sbin/dnscrypt-proxy -d --user=_dnscrypt-proxy"
+# defaults to use a random resolver;
+# supposedly doesn't keep logs, and supports DNSSEC.
+daemon_flags="-R random"
+
. /etc/rc.d/rc.subr
rc_reload=NO
