Verified Commit 9392f7c4 authored by Jan Pavlinec's avatar Jan Pavlinec

unbound: add upstream patches

parent 858efdf9
......@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.9.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.unbound.net/downloads
......
OpenWrt (modification):
Patch the default configuration file with the tiny memory
configuration example from Unbound documentation. This is the best
starting point for embedded routers if one is not going to use UCI.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -15,6 +15,76 @@ server:
# verbosity number, 0 is least verbose. 1 is default.
verbosity: 1
+ ############################################################################
+ # MEMORY CONTROL EXAMPLE
+ # In the example config settings below memory usage is reduced. Some ser-
+ # vice levels are lower, notable very large data and a high TCP load are
+ # no longer supported ... are exceptional for the DNS.
+ # (http://unbound.net/documentation/unbound.conf.html)
+ ############################################################################
+
+ # Self jail Unbound with user "unbound" to /var/lib/unbound
+ # The script /etc/init.d/unbound will setup the location
+ username: "unbound"
+ directory: "/var/lib/unbound"
+ chroot: "/var/lib/unbound"
+
+ # The pid file is created before privleges drop so no concern
+ pidfile: "/var/run/unbound.pid"
+
+ # no threads and no memory slabs for threads
+ num-threads: 1
+ msg-cache-slabs: 1
+ rrset-cache-slabs: 1
+ infra-cache-slabs: 1
+ key-cache-slabs: 1
+
+ # don't be picky about interfaces but consider your firewall
+ interface: 0.0.0.0
+ interface: ::0
+ access-control: 0.0.0.0/0 allow
+ access-control: ::0/0 allow
+
+ # this limits TCP service but uses less buffers
+ outgoing-num-tcp: 1
+ incoming-num-tcp: 1
+
+ # use somewhat higher port numbers versus possible NAT issue
+ outgoing-port-permit: "10240-65335"
+
+ # uses less memory but less performance
+ outgoing-range: 60
+ num-queries-per-thread: 30
+
+ # exclude large responses
+ msg-buffer-size: 8192
+
+ # tiny memory cache
+ infra-cache-numhosts: 200
+ msg-cache-size: 100k
+ rrset-cache-size: 100k
+ key-cache-size: 100k
+ neg-cache-size: 10k
+
+ # gentle on recursion
+ target-fetch-policy: "2 1 0 0 0 0"
+ harden-large-queries: yes
+ harden-short-bufsize: yes
+
+ # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+ # -anchor-file:" The init script will copy root key to /var/lib/unbound.
+ # See package documentation for crontab entry to copy RFC5011 results back.
+ #module-config: "validator iterator"
+ #auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+ # DNSSEC needs real time to validate signatures. If your device does not
+ # have power off clock (reboot), then you may need this work around.
+ #domain-insecure: "pool.ntp.org"
+
+ ############################################################################
+ # Resume Stock example.conf.in
+ ############################################################################
+
# print statistics to the log (for every thread) every N seconds.
# Set to "" or 0 to disable. Default is disabled.
# statistics-interval: 0
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1049,10 +1049,10 @@ void* outgoing_ssl_fd(void* sslctx, int
static lock_basic_type *ub_openssl_locks = NULL;
/** callback that gets thread id for openssl */
-static unsigned long
-ub_crypto_id_cb(void)
+static void
+ub_crypto_id_cb(CRYPTO_THREADID *id)
{
- return (unsigned long)log_thread_get();
+ CRYPTO_THREADID_set_numeric(id, (unsigned long)log_thread_get());
}
static void
@@ -1078,7 +1078,7 @@ int ub_openssl_lock_init(void)
for(i=0; i<CRYPTO_num_locks(); i++) {
lock_basic_init(&ub_openssl_locks[i]);
}
- CRYPTO_set_id_callback(&ub_crypto_id_cb);
+ CRYPTO_THREADID_set_callback(&ub_crypto_id_cb);
CRYPTO_set_locking_callback(&ub_crypto_lock_cb);
#endif /* OPENSSL_THREADS */
return 1;
@@ -1090,7 +1090,7 @@ void ub_openssl_lock_delete(void)
int i;
if(!ub_openssl_locks)
return;
- CRYPTO_set_id_callback(NULL);
+ CRYPTO_THREADID_set_callback(NULL);
CRYPTO_set_locking_callback(NULL);
for(i=0; i<CRYPTO_num_locks(); i++) {
lock_basic_destroy(&ub_openssl_locks[i]);
Index: daemon/remote.c
===================================================================
--- a/daemon/remote.c (revision 5105)
+++ b/daemon/remote.c (working copy)
@@ -1987,7 +1987,7 @@
return NULL;
}
} else {
-#ifndef HAVE_SSL_SET1_HOST
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", todo);
Index: iterator/iter_fwd.c
===================================================================
--- a/iterator/iter_fwd.c (revision 5105)
+++ b/iterator/iter_fwd.c (working copy)
@@ -239,7 +239,7 @@
s->name, p->str);
return 0;
}
-#ifndef HAVE_SSL_SET1_HOST
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(tls_auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);
Index: iterator/iter_hints.c
===================================================================
--- a/iterator/iter_hints.c (revision 5105)
+++ b/iterator/iter_hints.c (working copy)
@@ -252,7 +252,7 @@
s->name, p->str);
return 0;
}
-#ifndef HAVE_SSL_SET1_HOST
+#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST)
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", p->str);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment