Unbound: fix regression of manual conf for power user

- History: prior to package 1.5.10-3 /var/lib/unbound was not used
- History: prior to package 1.5.10-4 no UCI scripts were provided
- Problem: UCI 'option manual_conf 1' only copied unbound.conf and root.key
- Problem: power users that had complex file nests cannot use this
- Fix: README.md includes instructions for /var/lib/unbound jail
- Fix: unbound.sh copies ALL of /etc/unbound for 'option manual_conf 1'

Signed-off-by: Eric Luehrsen <redacted>

diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index eb82db766fe82575bcb434b5d7bc25416a5da22f..17f3065f183b34e54534f76a335736a1c7e2978d 100644 (file)
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=unbound
 PKG_VERSION:=1.5.10
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE

diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md
index a850a65f46d14870441284c1d585da3d66541d5a..a66ac74b5d204bde853224808e469527ff7c8901 100644 (file)
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@@ -20,7 +20,18 @@ Some UCI options will help Unbound and dnsmasq work together in **parallel**. Th
 
 Alternatives are mentioned here for completeness. DHCP event scripts which write host records are difficult to formulate for Unbound, NSD, or Bind. These programs sometimes need to be forcefully reloaded with host configuration, and reloads can bust cache. **Serial** configuration between dnsmasq and Unbound can be made on 127.0.0.1 with an off-port like #1053. This may double cache storage and incur unnecessary transfer delay.
 
-## UCI Options
+## Back to Manual Configuration
+You don't want UCI, but don't worry. We have UCI for that. However, OpenWrt or LEDE are targeted at embedded machines with flash ROM. The initialization scripts do a few things to protect flash ROM. 
+
+All of `/etc/unbound` (persistent, ROM) is copied to `/var/lib/unbound` (tmpfs, RAM). Edit your manual `/etc/unbound/unbound.conf` to reference this `/var/lib/unbound` location for included files. Note in preparation for a jail, `/var/lib/unbound` is `chown unbound`. Configure for security in`/etc/unbound/unbound.conf` with options `username:unbound` and `chroot:/var/lib/unbound`. 
+
+Finally, `root.key` maintenance for DNSKEY RFC5011 would be hard on flash. Unbound natively updates frequently. It also creates and destroys working files in the process. In `/var/lib/unbound` this is no problem, but it would be gone at the next reboot. If you have DNSSEC (validator) active, then you should consider this UCI option. Choose how many days to copy from `/var/lib/unbound/root.key` (tmpfs) to `/etc/unbound/root.key` (flash). Keep the DNSKEY updated with your choice of flash activity.
+
+       config unbound
+               option manual_conf '1'
+               option root_age '30'
+
+## Complete List of UCI Options
 **/etc/config/unbound**:
 
        config unbound

diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh
index 83121029808a82a34584ac4952b19011447ac1e8..568c627416ed6ec61695f70a85981b4859137888 100644 (file)
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -104,6 +104,7 @@ create_domain_insecure() {
 
 unbound_mkdir() {
   mkdir -p $UNBOUND_VARDIR
+  touch $UNBOUND_CONFFILE
 
 
   if [ -f /etc/unbound/root.hints ] ; then
@@ -478,13 +479,6 @@ unbound_uci() {
 
 
   if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
-    if [ -f /etc/unbound/unbound.conf ] ; then
-      # You don't want UCI and use your own manual configuration
-      # or with no base file whatever Unbound defaults are.
-      cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
-    fi
-
-
     # Don't want this being triggered. Maybe we could, but then the
     # base conf you provide would need to be just right.
     UNBOUND_B_DNSMASQ=0
@@ -505,13 +499,13 @@ unbound_own () {
   } > $UNBOUND_CHECKFILE
 
 
-  if [ ! -f "$UNBOUND_CONFFILE" ] ; then
-    # if somehow this happened
-    touch $UNBOUND_CONFFILE
+  if [ "$UNBOUND_B_MAN_CONF" -gt 0 ] ; then
+    # You are doing your own thing, so just copy /etc/ to /var/
+    cp -p /etc/unbound/* $UNBOUND_VARDIR/
   fi
 
 
-  # Ensure Access
+  # Ensure access and prepare to jail
   chown -R unbound:unbound $UNBOUND_VARDIR
   chmod 775 $UNBOUND_VARDIR
   chmod 664 $UNBOUND_VARDIR/*