From patchwork Sun Mar 29 18:00:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Ott X-Patchwork-Id: 1263520 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=reject dis=none) header.from=ott.net Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ott.net header.i=@ott.net header.a=rsa-sha256 header.s=onbz5 header.b=PN6s/M+0; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48r3Kg3p6pz9sR4 for ; Mon, 30 Mar 2020 05:00:39 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 99FEE875D7; Sun, 29 Mar 2020 18:00:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P3Oo4UtifjFg; Sun, 29 Mar 2020 18:00:32 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by whitealder.osuosl.org (Postfix) with ESMTP id 60F7D87586; Sun, 29 Mar 2020 18:00:32 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 017301BF291 for ; Sun, 29 Mar 2020 18:00:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id EF11B8820A for ; Sun, 29 Mar 2020 18:00:30 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9EfoXe0-usx for ; Sun, 29 Mar 2020 18:00:29 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.ott.net (mail.ott.net [77.109.144.132]) by hemlock.osuosl.org (Postfix) with ESMTPS id 18AC2881EC for ; Sun, 29 Mar 2020 18:00:29 +0000 (UTC) Received: from relay.zh.ott.net (relay.zh.ott.net [IPv6:fd53:c48b:8ee5::17:1]) by mail.ott.net (Postfix) with ESMTPS id 333F7480100D; Sun, 29 Mar 2020 19:59:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ott.net; s=onbz5; t=1585504748; bh=YRc8w730i/HwmNiTCFQVpIikKdT3LAGc/5WsB61Zoes=; h=From:To:Cc:Subject:Date:From; b=PN6s/M+0JiAJoZhzRkxtxcBBlky7gnlo2U+mSpOrwvvL45diJqwRvVDQ8izj6qehV tA79hQywvfVA/mKPrGzNzFws95CRUu6Cy1un4tw1Lx2+vChgLJ/m1eVvONDUD64Ddk 7rTWBsc1HSotqA7CNVQTGe5YHSr1M1dLf2oLBhvIuNhpr2SrgFIoKCQvZZTFRScFGO 0KZH3JRNQ/YzWH4leO75u1zdZlBdCl/h6/q7AG/pG/K1wqYAgy4O4u2Sc7nEpRIqwe hjdvnpfb3C1EMxLOzzmZ6w8hWqwFtuZJAe9S9Mcb5zxsOM3qsQXlnQTpukt8VlkZvM sog8h0rV2lhdQ== Received: by relay.zh.ott.net (OpenSMTPD) with ESMTPS id 8d928811 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:YES); Sun, 29 Mar 2020 19:58:15 +0200 (CEST) Received: from localhost (greebo.asti.ch [local]) by greebo.asti.ch (OpenSMTPD) with ESMTPA id c78ce8cf; Sun, 29 Mar 2020 18:00:22 +0000 (UTC) From: Stefan Ott To: buildroot@buildroot.org Date: Sun, 29 Mar 2020 20:00:16 +0200 Message-Id: <20200329180016.9292-1-stefan@ott.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 Subject: [Buildroot] [PATCH v2] unbound: new package X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Stefan Ott Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Unbound: validating, recursive & caching DNS resolver with DNSSEC, QNAME minimisation, DNSCrypt and DNS-over-TLS support. Signed-off-by: Stefan Ott --- Changes v1 -> v2: - Fix intentation in Config.in - Fix spelling in Config.in sub-option - Remodel init script based on busybox/S01syslogd - Fix syntax in unbound.mk - Remove explicit --enable-relro-now, --with-pic and --enable-pie options - Exclude package from systems with static libraries (it won't compile there) - Only enable threads on systems with support for NPTL DEVELOPERS | 3 ++ package/Config.in | 1 + package/unbound/Config.in | 35 ++++++++++++++++++++++++ package/unbound/S70unbound | 52 +++++++++++++++++++++++++++++++++++ package/unbound/unbound.hash | 3 ++ package/unbound/unbound.mk | 53 ++++++++++++++++++++++++++++++++++++ 6 files changed, 147 insertions(+) create mode 100644 package/unbound/Config.in create mode 100644 package/unbound/S70unbound create mode 100644 package/unbound/unbound.hash create mode 100644 package/unbound/unbound.mk diff --git a/DEVELOPERS b/DEVELOPERS index 4a43ca420d..f81ef07456 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -2354,6 +2354,9 @@ F: package/libvpx/ F: package/mesa3d-demos/ F: package/ti-gfx/ +N: Stefan Ott +F: package/unbound/ + N: Stefan Sørensen F: package/cracklib/ F: package/libpwquality/ diff --git a/package/Config.in b/package/Config.in index 7b73198d50..8eb71ec5c3 100644 --- a/package/Config.in +++ b/package/Config.in @@ -2195,6 +2195,7 @@ endif source "package/uftp/Config.in" source "package/uhttpd/Config.in" source "package/ulogd/Config.in" + source "package/unbound/Config.in" source "package/ushare/Config.in" source "package/ussp-push/Config.in" source "package/vde2/Config.in" diff --git a/package/unbound/Config.in b/package/unbound/Config.in new file mode 100644 index 0000000000..2d4ebed257 --- /dev/null +++ b/package/unbound/Config.in @@ -0,0 +1,35 @@ +config BR2_PACKAGE_UNBOUND + bool "unbound" + select BR2_PACKAGE_EXPAT + select BR2_PACKAGE_LIBEVENT + select BR2_PACKAGE_OPENSSL + depends on !BR2_STATIC_LIBS + help + Unbound is a validating, recursive, and caching DNS resolver. + It supports DNSSEC, QNAME minimisation, DNS-over-TLS and + DNSCrypt. + + https://www.unbound.net + +if BR2_PACKAGE_UNBOUND +config BR2_PACKAGE_UNBOUND_DNSCRYPT + bool "enable DNSCrypt" + select BR2_PACKAGE_LIBSODIUM + help + DNSCrypt wraps unmodified DNS queries between a client and + a DNS resolver. Default port used is 443 and like with + normal unencrypted DNS, it uses UDP first and falling back + to TCP if response too large. + + There is also DNS-over-TLS, a TCP only version + of proposed standard for DNS encryption (RFC 7858). + Default port for DNS-over-TLS is 853 and Unbound has + built-in support for it. + + https://tools.ietf.org/html/rfc7858 + + Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI. + Here is some suggestions how to handle SNI encryption: + + https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00 +endif diff --git a/package/unbound/S70unbound b/package/unbound/S70unbound new file mode 100644 index 0000000000..cb722ce283 --- /dev/null +++ b/package/unbound/S70unbound @@ -0,0 +1,52 @@ +#!/bin/sh + +DAEMON="unbound" +PIDFILE="/var/run/$DAEMON.pid" + +UNBOUND_ARGS="" + +# shellcheck source=/dev/null +[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON" + +start() { + printf 'Starting %s: ' "$DAEMON" + start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \ + -- $UNBOUND_ARGS + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf 'Stopping %s: ' "$DAEMON" + start-stop-daemon -K -q -p "$PIDFILE" + status=$? + if [ "$status" -eq 0 ]; then + rm -f "$PIDFILE" + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + sleep 1 + start +} + +case "$1" in + start|stop|restart) + "$1";; + reload) + # Restart, since there is no true "reload" feature. + restart;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash new file mode 100644 index 0000000000..11626d0b6f --- /dev/null +++ b/package/unbound/unbound.hash @@ -0,0 +1,3 @@ +# Locally calculated +sha256 152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955 unbound-1.10.0.tar.gz +sha256 8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db LICENSE diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk new file mode 100644 index 0000000000..937165eca7 --- /dev/null +++ b/package/unbound/unbound.mk @@ -0,0 +1,53 @@ +################################################################################ +# +# unbound +# +################################################################################ + +UNBOUND_VERSION = 1.10.0 +UNBOUND_SITE = https://www.unbound.net/downloads +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl +UNBOUND_LICENSE = BSD-3-Clause +UNBOUND_LICENSE_FILES = LICENSE +UNBOUND_CONF_OPTS = \ + --disable-rpath \ + --disable-debug \ + --with-conf-file=/etc/unbound/unbound.conf \ + --with-pidfile=/var/run/unbound.pid \ + --with-rootkey-file=/etc/unbound/root.key \ + --enable-tfo-server \ + --with-ssl=$(STAGING_DIR)/usr + +# uClibc-ng does not have MSG_FASTOPEN +# so TCP Fast Open client mode disabled for it +ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y) +UNBOUND_CONF_OPTS += --disable-tfo-client +else +UNBOUND_CONF_OPTS += --enable-tfo-client +endif + +ifeq ($(BR2_TOOLCHAIN_HAS_THREADS_NPTL),y) +UNBOUND_CONF_OPTS += --with-pthreads +else +UNBOUND_CONF_OPTS += --without-pthreads +endif + +ifeq ($(BR2_GCC_ENABLE_LTO),y) +UNBOUND_CONF_OPTS += --enable-flto +else +UNBOUND_CONF_OPTS += --disable-flto +endif + +ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y) +UNBOUND_CONF_OPTS += --enable-dnscrypt +UNBOUND_DEPENDENCIES += libsodium +else +UNBOUND_CONF_OPTS += --disable-dnscrypt +endif + +define UNBOUND_INSTALL_INIT_SYSV + $(INSTALL) -D -m 755 package/unbound/S70unbound \ + $(TARGET_DIR)/etc/init.d/S70unbound +endef + +$(eval $(autotools-package))