unbound: add root zone file cache option

Add the possibility to use Unbound auto-zone: clause to fetch complete root, arpa, in-addr.arpa, and ip6.arpa zone files. This can speed up recursion when users access many ccTLD or connection logging hits many PTR. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
author: Eric Luehrsen <ericluehrsen@hotmail.com> 2018-05-28 22:46:07 -0400
committer: Eric Luehrsen <ericluehrsen@hotmail.com> 2018-05-28 23:32:12 -0400
commit: 36e1aa089255eb481125a3455f4e958b3b1ba4f3 (patch)
tree: c0d748e7d0189f8317f53ea9902c43bbeebcabc0 /net/unbound/files
parent: cdeefec73e9e70a7180c9fb5a337bdefbe34e5b1 (diff)
3 files changed, 52 insertions, 8 deletions
diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md
index fe8305dce..4e81162f8 100644
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@@ -225,6 +225,11 @@ config unbound
     Boolean. Skip all this UCI nonsense. Manually edit the
     configuration. Make changes to /etc/unbound/unbound.conf.
 
+  option prefetch_root '0'
+    Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
+    "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
+    servers using http or AXFR (gTLD are unfortunately not as public).
+
   option protocol 'mixed'
     Unbound can limit its protocol used for recursive queries.
     ip4_only - limit issues if you do not have native IPv6
diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh
index 696cb3753..2fda84e86 100644
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0
+UNBOUND_B_AUTH_ROOT=0
 
 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
@@ -605,6 +606,45 @@ unbound_forward() {
 
 ##############################################################################
 
+unbound_auth_root() {
+  local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+  local httpserver="http://www.internic.net/domain/"
+  local authzones="root arpa in-addr.arpa ip6.arpa"
+  local server zone realzone
+  # Download or AXFR the root and arpa zones to reduce the work needed at
+  # top level of recursion. If your users will hit many ccTLD or you have
+  # tracking logs resolving many PTR, then this can speed things up.
+  # Total size of text in TMPFS could be about 5MB.
+
+
+  if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
+    for zone in $authzones ; do
+      if [ "$zone" = "root" ] ; then
+        realzone="."
+      else
+        realzone=$zone
+      fi
+
+
+      {
+        echo "auth-zone:"
+        echo "  name: \"$realzone\""
+        for server in $axfrservers ; do
+          echo "  master: \"$server\""
+        done
+        echo "  url: \"$httpserver$zone.zone\""
+        echo "  fallback-enabled: yes"
+        echo "  for-downstream: no"
+        echo "  for-upstream: yes"
+        echo "  zonefile: \"$zone.zone\""
+        echo
+      } >> $UNBOUND_CONFFILE
+    done
+  fi
+}
+
+##############################################################################
+
 unbound_conf() {
   local rt_mem rt_conn modulestring domain ifsubnet
 
@@ -1086,6 +1126,7 @@ unbound_uci() {
   config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
   config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
   config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
+  config_get_bool UNBOUND_B_AUTH_ROOT  "$cfg" prefetch_root 0
   config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
   config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
   config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
@@ -1181,7 +1222,7 @@ unbound_uci() {
 
 ##############################################################################
 
-_resolv_setup() {
+unbound_resolv_setup() {
   if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
     return
   fi
@@ -1210,7 +1251,7 @@ _resolv_setup() {
 
 ##############################################################################
 
-_resolv_teardown() {
+unbound_resolv_teardown() {
   case $( cat /tmp/resolv.conf ) in
   *"generated by Unbound UCI"*)
     # our resolver file, reset to auto resolver file.
@@ -1225,8 +1266,6 @@ _resolv_teardown() {
 unbound_start() {
   config_load unbound
   config_foreach unbound_uci unbound
-
-
   unbound_mkdir
 
 
@@ -1245,19 +1284,18 @@ unbound_start() {
 
 
     unbound_forward
+    unbound_auth_root
     unbound_control
   fi
 
 
-  _resolv_setup
+  unbound_resolv_setup
 }
 
 ##############################################################################
 
 unbound_stop() {
-  _resolv_teardown
-
-
+  unbound_resolv_teardown
   rootzone_update
 }
 
diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci
index 2df2d6fa1..fb0f6c887 100644
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@@ -15,6 +15,7 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
+	option prefetch_root '0'
 	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
author	Eric Luehrsen <ericluehrsen@hotmail.com>	2018-05-28 22:46:07 -0400
committer	Eric Luehrsen <ericluehrsen@hotmail.com>	2018-05-28 23:32:12 -0400
commit	36e1aa089255eb481125a3455f4e958b3b1ba4f3 (patch)
tree	c0d748e7d0189f8317f53ea9902c43bbeebcabc0 /net/unbound/files
parent	cdeefec73e9e70a7180c9fb5a337bdefbe34e5b1 (diff)