[Buildroot] [PATCH] unbound: new package

Floris Bos bos at je-eigen-domein.nl
Mon Sep 15 23:20:48 UTC 2014 

Hi,

On 09/15/2014 10:46 PM, Eric Le Bihan wrote:
> This package provides Unbound, a validating, recursive, and caching DNS
> resolver.

Nice addition.
We're an unbound user as well, but never got around to submitting our 
local package, and I know unbound has some odd issues.


Some points:

- Unbound (at least when using your package with sysv) currently creates 
a pid file in /etc/unbound/unbound.pid
Suggest that to be changed to /var/run/unbound.pid, so it also works on 
read-only file systems.

- Unbound is currently broken when IPv6 is disabled in the buildroot 
configuration.

Listens on both 127.0.0.1 and ::1 by default, and errors out on the ::1

==
unbound[118:0] error: node ::1:53 getaddrinfo: ai_family not supported
[13] unbound[118:0] fatal error: could not open ports
FAIL
==

You do can override the default by specifying "interface: 127.0.0.1" in 
unbound.conf but then it errors out on:

==
"error: cannot parse access control: ::0/0 refuse"
==

Don't no how to override that internal ACL rule.
Might need to let the package depend on IPv6


- Unbound is typically used as local resolving nameserver.
I was wondering if the startup script shouldn't put "nameserver 
127.0.0.1" in /etc/resolv.conf
Possibly with an option to turn that off by a setting in 
/etc/default/unbound

- Unbound expects /etc/unbound to be owned by user unbound
Or if you do enable DNSSEC by uncommenting the "auto-trust-anchor-file" 
line in /etc/unbound/unbound.conf, you get errors that it is unable to 
create files:

==
error: could not open autotrust file for writing, /root.key.306-0: 
Permission denied
==

- I also wonder if there shouldn't be an option to let the startup 
script run unbound-anchor prior to starting the unbound daemon.
This updates the DNSSEC trust anchor files.
(Enabling DNSSEC validation has some caveats though, in particular it 
requires the system to have correct date/time settings, so should be 
left disabled by default)

> +NAME=nsd

nsd -> unbound

> +UNBOUND_DEPENDENCIES = expat libevent openssl

libevent is an optional dependency. (don't have it in my local package)

> +++ b/package/unbound/S80unbound

- Wondering if S80unbound shouldn't be a lower number like S41 for 
systems that intend to use it as local resolver.
So that other services like S49ntp can use it to resolve pool.ntp.org.


Yours sincerely,

Floris Bos

More information about the buildroot mailing list