From d1cb135e7260c7525727e6ea779d5ed5067208c3 Mon Sep 17 00:00:00 2001 From: churchofnoise <65717719+churchofnoise@users.noreply.github.com> Date: Wed, 8 May 2024 11:20:18 +0200 Subject: [PATCH 1/2] Update Dockerfile Update to Unbound 1.20.0 --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6becc04..9a51e6c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,9 +59,9 @@ FROM build-base AS unbound WORKDIR /src -ARG UNBOUND_VERSION=1.19.3 -# https://nlnetlabs.nl/downloads/unbound/unbound-1.19.3.tar.gz.sha256 -ARG UNBOUND_SHA256="3ae322be7dc2f831603e4b0391435533ad5861c2322e34a76006a9fb65eb56b9" +ARG UNBOUND_VERSION=1.20.0 +# https://nlnetlabs.nl/downloads/unbound/unbound-1.20.0.tar.gz.sha256 +ARG UNBOUND_SHA256="56b4ceed33639522000fd96775576ddf8782bb3617610715d7f1e777c5ec1dbf" ADD https://nlnetlabs.nl/downloads/unbound/unbound-${UNBOUND_VERSION}.tar.gz unbound.tar.gz From 09aa5d95ea52d61064716b29709ba8f79e9a8e4f Mon Sep 17 00:00:00 2001 From: churchofnoise <65717719+churchofnoise@users.noreply.github.com> Date: Wed, 8 May 2024 11:23:23 +0200 Subject: [PATCH 2/2] Update unbound.conf.example Refresh with example config from https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in --- .../etc/unbound/unbound.conf.example | 75 +++++++++++++++---- 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/rootfs_overlay/etc/unbound/unbound.conf.example b/rootfs_overlay/etc/unbound/unbound.conf.example index 296837a..e0aec8e 100644 --- a/rootfs_overlay/etc/unbound/unbound.conf.example +++ b/rootfs_overlay/etc/unbound/unbound.conf.example @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.19.3. +# See unbound.conf(5) man page, version @version@. # # this is a comment. @@ -191,6 +191,21 @@ server: # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 + # msec before recursion replies are dropped. The work item continues. + # discard-timeout: 1900 + + # Max number of replies waiting for recursion per IP address. + # wait-limit: 1000 + + # Max replies waiting for recursion for IP address with cookie. + # wait-limit-cookie: 10000 + + # Apart from the default, the wait limit can be set for a netblock. + # wait-limit-netblock: 192.0.2.0/24 50000 + + # Apart from the default, the wait limit with cookie can be adjusted. + # wait-limit-cookie-netblock: 192.0.2.0/24 50000 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -211,6 +226,11 @@ server: # the time to live (TTL) value cap for negative responses in the cache # cache-max-negative-ttl: 3600 + # the time to live (TTL) value lower bound, in seconds. Default 0. + # For negative responses in the cache. If disabled, default, + # cache-min-tll applies if configured. + # cache-min-negative-ttl: 0 + # the time to live (TTL) value for cached roundtrip times, lameness and # EDNS version information for hosts. In seconds. # infra-host-ttl: 900 @@ -283,7 +303,8 @@ server: # Enable EDNS TCP keepalive option. # edns-tcp-keepalive: no - # Timeout for EDNS TCP keepalive, in msec. + # Timeout for EDNS TCP keepalive, in msec. Overrides tcp-idle-timeout + # if edns-tcp-keepalive is set. # edns-tcp-keepalive-timeout: 120000 # UDP queries that have waited in the socket buffer for a long time @@ -303,6 +324,7 @@ server: # Choose deny (drop message), refuse (polite error reply), # allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on), # allow_snoop (recursive and nonrecursive ok) + # allow_cookie (allow UDP with valid cookie or stateful transport) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). # access-control: 127.0.0.0/8 allow @@ -401,19 +423,19 @@ server: # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. - # chroot: "/var/unbound" + # chroot: "@UNBOUND_CHROOT_DIR@" # if given, user privileges are dropped (after binding port), # and the given username is assumed. Default is user "unbound". # If you give "" no privileges are dropped. - # username: "unbound" + # username: "@UNBOUND_USERNAME@" # the working directory. The relative files in this config are # relative to this directory. If you give "" the working directory # is not changed. # If you give a server: directory: dir before include: file statements # then those includes can be relative to the working directory. - # directory: "/var/unbound" + # directory: "@UNBOUND_RUN_DIR@" # the log file, "" means log to stderr. # Use of this option sets use-syslog to "no". @@ -441,6 +463,9 @@ server: # filtering log-queries and log-replies from the log. # log-tag-queryreply: no + # log with destination address, port and type for log-replies. + # log-destaddr: no + # log the local-zone actions, like local-zone type inform is enabled # also for the other local zone types. # log-local-actions: no @@ -449,7 +474,7 @@ server: # log-servfail: no # the pid file. Can be an absolute path outside of chroot/work dir. - # pidfile: "/var/unbound/unbound.pid" + # pidfile: "@UNBOUND_PIDFILE@" # file to read root hints from. # get one from https://www.internic.net/domain/named.cache @@ -615,7 +640,7 @@ server: # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). - # auto-trust-anchor-file: "/var/unbound/root.key" + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" # trust anchor signaling sends a RFC8145 key tag query after priming. # trust-anchor-signaling: yes @@ -983,6 +1008,13 @@ server: # if 0(default) it is disabled, otherwise states qps allowed per ip address # ip-ratelimit: 0 + # global query ratelimit for all ip addresses with a valid DNS Cookie. + # feature is experimental. + # if 0(default) it is disabled, otherwise states qps allowed per ip address + # useful in combination with 'allow_cookie'. + # If used, suggested to be higher than ip-ratelimit, tenfold. + # ip-ratelimit-cookie: 0 + # ip ratelimits are tracked in a cache, size in bytes of cache (or k,m). # ip-ratelimit-size: 4m # ip ratelimit cache slabs, reduces lock contention if equal to cpucount. @@ -1004,6 +1036,14 @@ server: # the number of servers that will be used in the fast server selection. # fast-server-num: 3 + # reply to requests containing DNS Cookies as specified in RFC 7873 and RFC 9018. + # answer-cookie: no + + # secret for DNS Cookie generation. + # useful for anycast deployments. + # example value "000102030405060708090a0b0c0d0e0f". + # cookie-secret: <128 bit random hex string> + # Enable to attach Extended DNS Error codes (RFC8914) to responses. # ede: no @@ -1056,7 +1096,7 @@ server: # o and give a python-script to run. python: # Script file to load - # python-script: "/var/unbound/ubmodule-tst.py" + # python-script: "@UNBOUND_SHARE_DIR@/ubmodule-tst.py" # Dynamic library config section. To enable: # o use --with-dynlibmodule to configure before compiling. @@ -1067,7 +1107,7 @@ python: # the module-config then you need one dynlib-file per instance. dynlib: # Script file to load - # dynlib-file: "/var/unbound/dynlib.so" + # dynlib-file: "@UNBOUND_SHARE_DIR@/dynlib.so" # Remote control config section. remote-control: @@ -1090,16 +1130,16 @@ remote-control: # control-use-cert: "yes" # Unbound server key file. - # server-key-file: "/var/unbound/unbound_server.key" + # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" # Unbound server certificate file. - # server-cert-file: "/var/unbound/unbound_server.pem" + # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" # unbound-control key file. - # control-key-file: "/var/unbound/unbound_control.key" + # control-key-file: "@UNBOUND_RUN_DIR@/unbound_control.key" # unbound-control certificate file. - # control-cert-file: "/var/unbound/unbound_control.pem" + # control-cert-file: "@UNBOUND_RUN_DIR@/unbound_control.pem" # Stub zones. # Create entries like below, to make all queries for 'example.com' and @@ -1150,7 +1190,7 @@ remote-control: # sources of notifies. # auth-zone: # name: "." -# primary: 199.9.14.201 # b.root-servers.net +# primary: 170.247.170.2 # b.root-servers.net # primary: 192.33.4.12 # c.root-servers.net # primary: 199.7.91.13 # d.root-servers.net # primary: 192.5.5.241 # f.root-servers.net @@ -1158,7 +1198,7 @@ remote-control: # primary: 193.0.14.129 # k.root-servers.net # primary: 192.0.47.132 # xfr.cjr.dns.icann.org # primary: 192.0.32.132 # xfr.lax.dns.icann.org -# primary: 2001:500:200::b # b.root-servers.net +# primary: 2801:1b8:10::b # b.root-servers.net # primary: 2001:500:2::c # c.root-servers.net # primary: 2001:500:2d::d # d.root-servers.net # primary: 2001:500:2f::f # f.root-servers.net @@ -1228,6 +1268,9 @@ remote-control: # secret-seed: "default" # # if the backend should be read from, but not written to. # cachedb-no-store: no +# # if the cachedb should be checked before a serve-expired response is +# # given, when serve-expired is enabled. +# cachedb-check-when-serve-expired: yes # # # For "redis" backend: # # (to enable, use --with-libhiredis to configure before compiling) @@ -1266,7 +1309,7 @@ remote-control: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode # dnstap-bidirectional: yes -# dnstap-socket-path: "" +# dnstap-socket-path: "@DNSTAP_SOCKET_PATH@" # # if "" use the unix socket in dnstap-socket-path, otherwise, # # set it to "IPaddress[@port]" of the destination. # dnstap-ip: ""