From 382eee5556ca3b561b6b62024f2b010102a877aa Mon Sep 17 00:00:00 2001 From: Stephen Walker Date: Wed, 13 Jul 2011 05:35:48 +0000 Subject: [PATCH] [packages] unbound: update to 1.4.11 (#9374), thanks Cybjit * add anchor, control, control-setup, host & library packages * add patch for the configuration options * drop the incomplete local configuration file * update named.cache * use the default auto-trust-anchor-file filename SVN-Revision: 27603 --- net/unbound/Makefile | 145 +++++++++++++++-- net/unbound/files/named.cache | 5 +- net/unbound/files/{root.autokey => root.key} | 0 net/unbound/files/unbound.conf | 83 ---------- net/unbound/patches/001-conf.patch | 158 +++++++++++++++++++ 5 files changed, 289 insertions(+), 102 deletions(-) rename net/unbound/files/{root.autokey => root.key} (100%) delete mode 100644 net/unbound/files/unbound.conf create mode 100644 net/unbound/patches/001-conf.patch diff --git a/net/unbound/Makefile b/net/unbound/Makefile index 5f9948e76e..d2a14820e3 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2010 OpenWrt.org +# Copyright (C) 2010-2011 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,55 +8,166 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound -PKG_VERSION:=1.4.5 -PKG_RELEASE:=3 +PKG_VERSION:=1.4.11 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.unbound.net/downloads -PKG_MD5SUM:=f1f6c97b90b15ca503a80b888c311d6c +PKG_MD5SUM:=8e9903dd5cba0d3501e24f55b25debbd +PKG_BUILD_DEPENDS:=libexpat +PKG_BUILD_PARALLEL:=1 PKG_FIXUP:=libtool PKG_INSTALL:=1 PKG_LIBTOOL_PATHS:= ./libtool ./ldns-src/libtool include $(INCLUDE_DIR)/package.mk +define Package/unbound/Default + TITLE:=A validating, recursive & caching DNS resolver + URL:=http://www.unbound.net/ + DEPENDS:=+libldns +endef + define Package/unbound + $(call Package/unbound/Default) SECTION:=net CATEGORY:=Network SUBMENU:=IP Addresses and Names - TITLE:=A validating, recursive, and caching DNS resolver - URL:=http://www.unbound.net/ - DEPENDS:=+libopenssl + TITLE+= (daemon) + DEPENDS+= +libunbound +endef + +define Package/unbound/description + This package contains the Unbound daemon. +endef + +define Package/unbound-anchor + $(call Package/unbound/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=IP Addresses and Names + TITLE+= (anchor utility) + DEPENDS+= +unbound +libexpat +endef + +define Package/unbound-anchor/description + This package contains the Unbound anchor utility. +endef + +define Package/unbound-control + $(call Package/unbound/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=IP Addresses and Names + TITLE+= (control utility) + DEPENDS+= +unbound +endef + +define Package/unbound-control/description + This package contains the Unbound control utility. +endef + +define Package/unbound-control-setup + $(call Package/unbound/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=IP Addresses and Names + TITLE+= (control setup utility) + DEPENDS+= +unbound-control +openssl-util +endef + +define Package/unbound-control-setup/description + This package contains the Unbound control setup utility. +endef + +define Package/unbound-host + $(call Package/unbound/Default) + SECTION:=net + CATEGORY:=Network + SUBMENU:=IP Addresses and Names + TITLE+= (DNS lookup utility) + DEPENDS+= +libunbound +endef + +define Package/unbound-host/description + This package contains the Unbound DNS lookup utility. +endef + +define Package/libunbound + $(call Package/unbound/Default) + SECTION:=libs + CATEGORY:=Libraries + TITLE+= (library) +endef + +define Package/libunbound/description + This package contains the Unbound shared library. endef CONFIGURE_ARGS += \ + --disable-gost \ + --enable-allsymbols \ + --with-ldns="$(STAGING_DIR)/usr" \ + --with-libexpat="$(STAGING_DIR)/usr" \ --with-ssl="$(STAGING_DIR)/usr" \ - --without-pthreads \ + --without-pthreads define Package/unbound/conffiles /etc/unbound/unbound.conf endef -define Package/unbound/install +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include + $(CP) $(PKG_INSTALL_DIR)/usr/include/unbound.h $(1)/usr/include/ $(INSTALL_DIR) $(1)/usr/lib - $(CP) \ - $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* \ - $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libunbound.{so*,a,la} $(1)/usr/lib/ +endef + +define Package/unbound/install $(INSTALL_DIR) $(1)/usr/sbin $(CP) \ $(PKG_INSTALL_DIR)/usr/sbin/unbound \ $(PKG_INSTALL_DIR)/usr/sbin/unbound-checkconf \ - $(PKG_INSTALL_DIR)/usr/sbin/unbound-control \ - $(PKG_INSTALL_DIR)/usr/sbin/unbound-host \ $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/etc/unbound - $(INSTALL_CONF) ./files/unbound.conf $(1)/etc/unbound/ - $(INSTALL_CONF) ./files/root.autokey $(1)/etc/unbound/ + $(INSTALL_CONF) \ + $(PKG_INSTALL_DIR)/etc/unbound/unbound.conf \ + $(1)/etc/unbound/ + $(INSTALL_CONF) ./files/root.key $(1)/etc/unbound/ $(INSTALL_CONF) ./files/named.cache $(1)/etc/unbound/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/unbound.init $(1)/etc/init.d/unbound endef -$(eval $(call BuildPackage,unbound)) +define Package/unbound-anchor/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-anchor $(1)/usr/sbin/ +endef + +define Package/unbound-control/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control $(1)/usr/sbin/ +endef + +define Package/unbound-control-setup/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-control-setup $(1)/usr/sbin/ +endef +define Package/unbound-host/install + $(INSTALL_DIR) $(1)/usr/sbin + $(CP) $(PKG_INSTALL_DIR)/usr/sbin/unbound-host $(1)/usr/sbin/ +endef + +define Package/libunbound/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libunbound.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,unbound)) +$(eval $(call BuildPackage,unbound-anchor)) +$(eval $(call BuildPackage,unbound-control)) +$(eval $(call BuildPackage,unbound-control-setup)) +$(eval $(call BuildPackage,unbound-host)) +$(eval $(call BuildPackage,libunbound)) diff --git a/net/unbound/files/named.cache b/net/unbound/files/named.cache index d081faaf52..8fbbb656b2 100644 --- a/net/unbound/files/named.cache +++ b/net/unbound/files/named.cache @@ -9,8 +9,8 @@ ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; -; last update: Jun 17, 2010 -; related version of root zone: 2010061700 +; last update: Jun 8, 2011 +; related version of root zone: 2011060800 ; ; formerly NS.INTERNIC.NET ; @@ -32,6 +32,7 @@ C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D ; ; FORMERLY NS.NASA.GOV ; diff --git a/net/unbound/files/root.autokey b/net/unbound/files/root.key similarity index 100% rename from net/unbound/files/root.autokey rename to net/unbound/files/root.key diff --git a/net/unbound/files/unbound.conf b/net/unbound/files/unbound.conf deleted file mode 100644 index 3ea940ca63..0000000000 --- a/net/unbound/files/unbound.conf +++ /dev/null @@ -1,83 +0,0 @@ -server: - verbosity: 1 - - interface: ::0 - interface: 0.0.0.0 - - # the amount of memory to use for the RRset cache. - # plain value in bytes or you can append k, m or G. default is "4Mb". - rrset-cache-size: 1m - - # the number of slabs to use for the RRset cache. - # the number of slabs must be a power of 2. - # more slabs reduce lock contention, but fragment memory usage. - rrset-cache-slabs: 2 - - # control which clients are allowed to make (recursive) queries - # to this server. Specify classless netblocks with /size and action. - # By default everything is refused, except for localhost. - # Choose deny (drop message), refuse (polite error reply), - # allow (recursive ok), allow_snoop (recursive and nonrecursive ok) - # access-control: 0.0.0.0/0 refuse - # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse - # access-control: ::1 allow - # access-control: ::ffff:127.0.0.1 allow - access-control: 0.0.0.0/0 allow - access-control: ::0/0 allow - - - # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is user "unbound". - # If you give "" no privileges are dropped. - # username: "unbound" - username: "" - - # the working directory. The relative files in this config are - # relative to this directory. If you give "" the working directory - # is not changed. - directory: "/etc/unbound" - - # the log file, "" means log to stderr. - # Use of this option sets use-syslog to "no". - # logfile: "" - - # Log to syslog(3) if yes. The log facility LOG_DAEMON is used to - # log to, with identity "unbound". If yes, it overrides the logfile. - use-syslog: yes - - # print UTC timestamp in ascii to logfile, default is epoch in seconds. - # log-time-ascii: no - - # the pid file. Can be an absolute path outside of chroot/work dir. - pidfile: "/var/run/unbound.pid" - - # file to read root hints from. - # get one from ftp://FTP.INTERNIC.NET/domain/named.cache - root-hints: "named.cache" - - - # Root zone trust anchor key - # Will be autoupdated by unbound in case of key change - auto-trust-anchor-file: "root.autokey" - - # If you want to also do DLV validation (RFC5074), - # download http://ftp.isc.org/www/dlv/dlv.isc.org.key - # and uncomment following line: - #dlv-anchor-file: "dlv.isc.org.key" - - # You can also do ITAR validation (https://itar.iana.org) - # To download and update anchors.mf file, use update-itar.sh - # from page http://www.unbound.net/documentation/howto_itar.html - #trust-anchor-file: "anchors.mf" - - - # If you want to forward requests to another recursive DNS server - # uncomment this. Please note that many DNS recursors do strip - # DNSSEC data, rendering unbound server unusable. - # forward-zone: - # name: "." - # forward-addr: 8.8.8.8 - # forward-addr: 8.8.4.4 - - diff --git a/net/unbound/patches/001-conf.patch b/net/unbound/patches/001-conf.patch new file mode 100644 index 0000000000..2365111165 --- /dev/null +++ b/net/unbound/patches/001-conf.patch @@ -0,0 +1,158 @@ +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -38,6 +38,8 @@ server: + # interface: 192.0.2.154 + # interface: 192.0.2.154@5003 + # interface: 2001:DB8::5 ++ interface: 0.0.0.0 ++ interface: ::0 + + # enable this feature to copy the source address of queries to reply. + # Socket options are not supported on all platforms. experimental. +@@ -57,6 +59,7 @@ server: + # port range that can be open simultaneously. About double the + # num-queries-per-thread, or, use as many as the OS will allow you. + # outgoing-range: 4096 ++ outgoing-range: 60 + + # permit unbound to use this port number or port range for + # making outgoing queries, using an outgoing interface. +@@ -71,9 +74,11 @@ server: + + # number of outgoing simultaneous tcp buffers to hold per thread. + # outgoing-num-tcp: 10 ++ outgoing-num-tcp: 1 + + # number of incoming simultaneous tcp buffers to hold per thread. + # incoming-num-tcp: 10 ++ incoming-num-tcp: 1 + + # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). + # 0 is system default. Use 4m to catch query spikes for busy servers. +@@ -90,18 +95,22 @@ server: + # buffer size for handling DNS data. No messages larger than this + # size can be sent or received, by UDP or TCP. In bytes. + # msg-buffer-size: 65552 ++ msg-buffer-size: 8192 + + # the amount of memory to use for the message cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # msg-cache-size: 4m ++ msg-cache-size: 100k + + # the number of slabs to use for the message cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # msg-cache-slabs: 4 ++ msg-cache-slabs: 1 + + # the number of queries that a thread gets to service. + # num-queries-per-thread: 1024 ++ num-queries-per-thread: 30 + + # if very busy, 50% queries run to completion, 50% get timeout in msec + # jostle-timeout: 200 +@@ -109,11 +118,13 @@ server: + # the amount of memory to use for the RRset cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # rrset-cache-size: 4m ++ rrset-cache-size: 100k + + # the number of slabs to use for the RRset cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # rrset-cache-slabs: 4 ++ rrset-cache-slabs: 1 + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. +@@ -134,12 +145,15 @@ server: + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # infra-cache-slabs: 4 ++ infra-cache-slabs: 1 + + # the maximum number of hosts that are cached (roundtrip times, EDNS). + # infra-cache-numhosts: 10000 ++ infra-cache-numhosts: 200 + + # the maximum size of the lame zones cached per host. in bytes. + # infra-cache-lame-size: 10k ++ infra-cache-lame-size: 1k + + # Enable IPv4, "yes" or "no". + # do-ip4: yes +@@ -166,6 +180,8 @@ server: + # access-control: ::0/0 refuse + # access-control: ::1 allow + # access-control: ::ffff:127.0.0.1 allow ++ access-control: 0.0.0.0/0 allow ++ access-control: ::0/0 allow + + # if given, a chroot(2) is done to the given directory. + # i.e. you can chroot to the working directory, for example, +@@ -196,6 +212,7 @@ server: + # and the given username is assumed. Default is user "unbound". + # If you give "" no privileges are dropped. + # username: "@UNBOUND_USERNAME@" ++ username: "" + + # the working directory. The relative files in this config are + # relative to this directory. If you give "" the working directory +@@ -218,10 +235,12 @@ server: + + # the pid file. Can be an absolute path outside of chroot/work dir. + # pidfile: "@UNBOUND_PIDFILE@" ++ pidfile: "/var/run/unbound.pid" + + # file to read root hints from. + # get one from ftp://FTP.INTERNIC.NET/domain/named.cache + # root-hints: "" ++ root-hints: "/etc/unbound/named.cache" + + # enable to not answer id.server and hostname.bind queries. + # hide-identity: no +@@ -244,12 +263,15 @@ server: + # positive value: fetch that many targets opportunistically. + # Enclose the list of numbers between quotes (""). + # target-fetch-policy: "3 2 1 0 0" ++ target-fetch-policy: "2 1 0 0 0 0" + + # Harden against very small EDNS buffer sizes. + # harden-short-bufsize: no ++ harden-short-bufsize: yes + + # Harden against unseemly large queries. + # harden-large-queries: no ++ harden-large-queries: yes + + # Harden against out of zone rrsets, to avoid spoofing attempts. + # harden-glue: yes +@@ -323,7 +345,7 @@ server: + # you start unbound (i.e. in the system boot scripts). And enable: + # Please note usage of unbound-anchor root anchor is at your own risk + # and under the terms of our LICENSE (see that file in the source). +- # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" ++ auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + + # File with DLV trusted keys. Same format as trust-anchor-file. + # There can be only one DLV configured, it is trusted from root down. +@@ -409,15 +431,18 @@ server: + # the amount of memory to use for the key cache. + # plain value in bytes or you can append k, m or G. default is "4Mb". + # key-cache-size: 4m ++ key-cache-size: 100k + + # the number of slabs to use for the key cache. + # the number of slabs must be a power of 2. + # more slabs reduce lock contention, but fragment memory usage. + # key-cache-slabs: 4 ++ key-cache-slabs: 1 + + # the amount of memory to use for the negative cache (used for DLV). + # plain value in bytes or you can append k, m or G. default is "1Mb". + # neg-cache-size: 1m ++ neg-cache-size: 10k + + # a number of locally served zones can be configured. + # local-zone: -- 2.30.2