[Buildroot] [PATCH] unbound: new package

[Eric Le Bihan <eric.le.bihan.dev@free.fr>]

Hi!
On Tue, Sep 16, 2014 at 01:20:48AM +0200, Floris Bos wrote:
> Hi,
>
> On 09/15/2014 10:46 PM, Eric Le Bihan wrote:
> >This package provides Unbound, a validating, recursive, and caching DNS
> >resolver.
>
> Nice addition.
> We're an unbound user as well, but never got around to submitting our local
> package, and I know unbound has some odd issues.
>
>
> Some points:
>
> - Unbound (at least when using your package with sysv) currently creates a
> pid file in /etc/unbound/unbound.pid
> Suggest that to be changed to /var/run/unbound.pid, so it also works on
> read-only file systems.

I did it in the case where systemd is chosen as init system, but not when
chosing SysV/Busybox. Good catch.

> - Unbound is currently broken when IPv6 is disabled in the buildroot
> configuration.
>
> Listens on both 127.0.0.1 and ::1 by default, and errors out on the ::1
>
> ==
> unbound[118:0] error: node ::1:53 getaddrinfo: ai_family not supported
> [13] unbound[118:0] fatal error: could not open ports
> FAIL
> ==
>
> You do can override the default by specifying "interface: 127.0.0.1" in
> unbound.conf but then it errors out on:
>
> ==
> "error: cannot parse access control: ::0/0 refuse"
> ==
>
> Don't no how to override that internal ACL rule.
> Might need to let the package depend on IPv6

I'll test this.

>
> - Unbound is typically used as local resolving nameserver.
> I was wondering if the startup script shouldn't put "nameserver 127.0.0.1"
> in /etc/resolv.conf
> Possibly with an option to turn that off by a setting in
> /etc/default/unbound
>
> - Unbound expects /etc/unbound to be owned by user unbound
> Or if you do enable DNSSEC by uncommenting the "auto-trust-anchor-file" line
> in /etc/unbound/unbound.conf, you get errors that it is unable to create
> files:
>
> ==
> error: could not open autotrust file for writing, /root.key.306-0:
> Permission denied
> ==
>
> - I also wonder if there shouldn't be an option to let the startup script
> run unbound-anchor prior to starting the unbound daemon.
> This updates the DNSSEC trust anchor files.
> (Enabling DNSSEC validation has some caveats though, in particular it
> requires the system to have correct date/time settings, so should be left
> disabled by default)

I am not (yet) familiar with DNSSEC, nor with the chroot case. Maybe this
should be left for the user to customize? I'll provide a minimal default
configuration file, so the service starts without error, anyway.

> >+NAME=nsd
>
> nsd -> unbound

Of course!
>
> >+UNBOUND_DEPENDENCIES = expat libevent openssl
>
> libevent is an optional dependency. (don't have it in my local package)

I will take this into account.

> >+++ b/package/unbound/S80unbound
>
> - Wondering if S80unbound shouldn't be a lower number like S41 for systems
> that intend to use it as local resolver.
> So that other services like S49ntp can use it to resolve pool.ntp.org.

If this is a specific user case, I think changing the priority of the service
should be left to the user.

Thanks for the review!

Best regards,
ELB