package/unbound: new package

Unbound: validating, recursive & caching DNS resolver with
DNSSEC, QNAME minimisation, DNSCrypt and DNS-over-TLS support.

Signed-off-by: Stefan Ott <stefan@ott.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This commit is contained in:
Stefan Ott 2020-03-29 20:00:16 +02:00 committed by Thomas Petazzoni
parent c5d43d6d0e
commit dea7f45fef
6 changed files with 150 additions and 0 deletions

View File

@ -2360,6 +2360,9 @@ F: package/libvpx/
F: package/mesa3d-demos/ F: package/mesa3d-demos/
F: package/ti-gfx/ F: package/ti-gfx/
N: Stefan Ott <stefan@ott.net>
F: package/unbound/
N: Stefan Sørensen <stefan.sorensen@spectralink.com> N: Stefan Sørensen <stefan.sorensen@spectralink.com>
F: package/cracklib/ F: package/cracklib/
F: package/libpwquality/ F: package/libpwquality/

View File

@ -2199,6 +2199,7 @@ endif
source "package/uftp/Config.in" source "package/uftp/Config.in"
source "package/uhttpd/Config.in" source "package/uhttpd/Config.in"
source "package/ulogd/Config.in" source "package/ulogd/Config.in"
source "package/unbound/Config.in"
source "package/ushare/Config.in" source "package/ushare/Config.in"
source "package/ussp-push/Config.in" source "package/ussp-push/Config.in"
source "package/vde2/Config.in" source "package/vde2/Config.in"

38
package/unbound/Config.in Normal file
View File

@ -0,0 +1,38 @@
config BR2_PACKAGE_UNBOUND
bool "unbound"
depends on !BR2_STATIC_LIBS
select BR2_PACKAGE_EXPAT
select BR2_PACKAGE_LIBEVENT
select BR2_PACKAGE_OPENSSL
help
Unbound is a validating, recursive, and caching DNS resolver.
It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
DNSCrypt.
https://www.unbound.net
if BR2_PACKAGE_UNBOUND
config BR2_PACKAGE_UNBOUND_DNSCRYPT
bool "enable DNSCrypt"
select BR2_PACKAGE_LIBSODIUM
help
DNSCrypt wraps unmodified DNS queries between a client and
a DNS resolver. Default port used is 443 and like with
normal unencrypted DNS, it uses UDP first and falling back
to TCP if response too large.
There is also DNS-over-TLS, a TCP only version
of proposed standard for DNS encryption (RFC 7858).
Default port for DNS-over-TLS is 853 and Unbound has
built-in support for it.
https://tools.ietf.org/html/rfc7858
Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
Here is some suggestions how to handle SNI encryption:
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
endif
comment "unbound needs a toolchain w/ dynamic library"
depends on BR2_STATIC_LIBS

View File

@ -0,0 +1,52 @@
#!/bin/sh
DAEMON="unbound"
PIDFILE="/var/run/$DAEMON.pid"
UNBOUND_ARGS=""
# shellcheck source=/dev/null
[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
start() {
printf 'Starting %s: ' "$DAEMON"
start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
-- $UNBOUND_ARGS
status=$?
if [ "$status" -eq 0 ]; then
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
stop() {
printf 'Stopping %s: ' "$DAEMON"
start-stop-daemon -K -q -p "$PIDFILE"
status=$?
if [ "$status" -eq 0 ]; then
rm -f "$PIDFILE"
echo "OK"
else
echo "FAIL"
fi
return "$status"
}
restart() {
stop
sleep 1
start
}
case "$1" in
start|stop|restart)
"$1";;
reload)
# Restart, since there is no true "reload" feature.
restart;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac

View File

@ -0,0 +1,3 @@
# Locally calculated
sha256 152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955 unbound-1.10.0.tar.gz
sha256 8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db LICENSE

View File

@ -0,0 +1,53 @@
################################################################################
#
# unbound
#
################################################################################
UNBOUND_VERSION = 1.10.0
UNBOUND_SITE = https://www.unbound.net/downloads
UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
UNBOUND_LICENSE = BSD-3-Clause
UNBOUND_LICENSE_FILES = LICENSE
UNBOUND_CONF_OPTS = \
--disable-rpath \
--disable-debug \
--with-conf-file=/etc/unbound/unbound.conf \
--with-pidfile=/var/run/unbound.pid \
--with-rootkey-file=/etc/unbound/root.key \
--enable-tfo-server \
--with-ssl=$(STAGING_DIR)/usr
# uClibc-ng does not have MSG_FASTOPEN
# so TCP Fast Open client mode disabled for it
ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
UNBOUND_CONF_OPTS += --disable-tfo-client
else
UNBOUND_CONF_OPTS += --enable-tfo-client
endif
ifeq ($(BR2_TOOLCHAIN_HAS_THREADS_NPTL),y)
UNBOUND_CONF_OPTS += --with-pthreads
else
UNBOUND_CONF_OPTS += --without-pthreads
endif
ifeq ($(BR2_GCC_ENABLE_LTO),y)
UNBOUND_CONF_OPTS += --enable-flto
else
UNBOUND_CONF_OPTS += --disable-flto
endif
ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y)
UNBOUND_CONF_OPTS += --enable-dnscrypt
UNBOUND_DEPENDENCIES += libsodium
else
UNBOUND_CONF_OPTS += --disable-dnscrypt
endif
define UNBOUND_INSTALL_INIT_SYSV
$(INSTALL) -D -m 755 package/unbound/S70unbound \
$(TARGET_DIR)/etc/init.d/S70unbound
endef
$(eval $(autotools-package))