From: Floris Bos <bos@je-eigen-domein.nl>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] unbound: new package
Date: Tue, 16 Sep 2014 01:20:48 +0200 [thread overview]
Message-ID: <54177450.3090909@je-eigen-domein.nl> (raw)
In-Reply-To: <1410813982-7774-2-git-send-email-eric.le.bihan.dev@free.fr>
Hi,
On 09/15/2014 10:46 PM, Eric Le Bihan wrote:
> This package provides Unbound, a validating, recursive, and caching DNS
> resolver.
Nice addition.
We're an unbound user as well, but never got around to submitting our
local package, and I know unbound has some odd issues.
Some points:
- Unbound (at least when using your package with sysv) currently creates
a pid file in /etc/unbound/unbound.pid
Suggest that to be changed to /var/run/unbound.pid, so it also works on
read-only file systems.
- Unbound is currently broken when IPv6 is disabled in the buildroot
configuration.
Listens on both 127.0.0.1 and ::1 by default, and errors out on the ::1
==
unbound[118:0] error: node ::1:53 getaddrinfo: ai_family not supported
[13] unbound[118:0] fatal error: could not open ports
FAIL
==
You do can override the default by specifying "interface: 127.0.0.1" in
unbound.conf but then it errors out on:
==
"error: cannot parse access control: ::0/0 refuse"
==
Don't no how to override that internal ACL rule.
Might need to let the package depend on IPv6
- Unbound is typically used as local resolving nameserver.
I was wondering if the startup script shouldn't put "nameserver
127.0.0.1" in /etc/resolv.conf
Possibly with an option to turn that off by a setting in
/etc/default/unbound
- Unbound expects /etc/unbound to be owned by user unbound
Or if you do enable DNSSEC by uncommenting the "auto-trust-anchor-file"
line in /etc/unbound/unbound.conf, you get errors that it is unable to
create files:
==
error: could not open autotrust file for writing, /root.key.306-0:
Permission denied
==
- I also wonder if there shouldn't be an option to let the startup
script run unbound-anchor prior to starting the unbound daemon.
This updates the DNSSEC trust anchor files.
(Enabling DNSSEC validation has some caveats though, in particular it
requires the system to have correct date/time settings, so should be
left disabled by default)
> +NAME=nsd
nsd -> unbound
> +UNBOUND_DEPENDENCIES = expat libevent openssl
libevent is an optional dependency. (don't have it in my local package)
> +++ b/package/unbound/S80unbound
- Wondering if S80unbound shouldn't be a lower number like S41 for
systems that intend to use it as local resolver.
So that other services like S49ntp can use it to resolve pool.ntp.org.
Yours sincerely,
Floris Bos
next prev parent reply other threads:[~2014-09-15 23:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-15 20:46 [Buildroot] [PATCH] nsd: new package Eric Le Bihan
2014-09-15 20:46 ` [Buildroot] [PATCH] unbound: " Eric Le Bihan
2014-09-15 23:20 ` Floris Bos [this message]
2014-09-19 22:40 ` Eric Le Bihan
2014-09-16 20:48 ` [Buildroot] [PATCH] nsd: " Thomas Petazzoni
2014-09-19 22:49 ` Eric Le Bihan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54177450.3090909@je-eigen-domein.nl \
--to=bos@je-eigen-domein.nl \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox