[Buildroot] [PATCH 1/1] unbound: new package

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Fröberg]

Signed-off-by: Stefan Fr?berg <stefan.froberg@petroprogram.com>
---
 DEVELOPERS                   |  1 +
 package/Config.in            |  1 +
 package/unbound/Config.in    | 37 ++++++++++++++++++++++++++++++++
 package/unbound/unbound.hash |  3 +++
 package/unbound/unbound.mk   | 50 ++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 92 insertions(+)
 create mode 100644 package/unbound/Config.in
 create mode 100644 package/unbound/unbound.hash
 create mode 100644 package/unbound/unbound.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 2f7d051e8a..184ce82cec 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1642,6 +1642,7 @@ N:	Stefan Fr?berg <stefan.froberg@petroprogram.com>
 F:	package/elfutils/
 F:	package/libtasn1/
 F:	package/proxychains-ng/
+F:	package/unbound/
 F:	package/yasm/
 F:	package/zlib-ng/
 
diff --git a/package/Config.in b/package/Config.in
index 01f4095be5..f810445e27 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1827,6 +1827,7 @@ endif
 	source "package/udpcast/Config.in"
 	source "package/uhttpd/Config.in"
 	source "package/ulogd/Config.in"
+	source "package/unbound/Config.in"
 	source "package/ushare/Config.in"
 	source "package/ussp-push/Config.in"
 	source "package/vde2/Config.in"
diff --git a/package/unbound/Config.in b/package/unbound/Config.in
new file mode 100644
index 0000000000..07e4fa39f2
--- /dev/null
+++ b/package/unbound/Config.in
@@ -0,0 +1,37 @@
+config BR2_PACKAGE_UNBOUND
+	bool "unbound"
+	select BR2_PACKAGE_EXPAT
+	select BR2_PACKAGE_LIBEVENT
+	select BR2_PACKAGE_LIBSODIUM if BR2_PACKAGE_UNBOUND_DNSCRYPT
+	depends on BR2_PACKAGE_OPENSSL
+	help
+	  Unbound is a validating, recursive, and caching DNS resolver.
+	  It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
+	  DNSCrypt.
+
+	  https://www.unbound.net
+
+if BR2_PACKAGE_UNBOUND
+
+config BR2_PACKAGE_UNBOUND_DNSCRYPT
+	bool "Enable DNSCrypt"
+	help
+	  DNSCrypt wraps unmodified DNS queries between a client and
+	  a DNS resolver. Default port used is 443 and like with
+	  normal unencrypted DNS, it uses UDP first and falling back
+	  to TCP if response too large.
+
+	  There is also DNS-over-TLS, a TCP only version
+	  of proposed standard for DNS encryption (RFC 7858).
+	  Default port for DNS-over-TLS is 853 and Unbound has
+	  built-in support for it.
+
+	  https://tools.ietf.org/html/rfc7858
+
+	  Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
+	  Here is some suggestions how to handle SNI encryption:
+
+	  https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
+
+endif
+
diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash
new file mode 100644
index 0000000000..5f2183897e
--- /dev/null
+++ b/package/unbound/unbound.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256	4e7bd43d827004c6d51bef73adf941798e4588bdb40de5e79d89034d69751c9f  unbound-1.6.7.tar.gz
+sha256	8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db  LICENSE
diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
new file mode 100644
index 0000000000..3c6f4ac895
--- /dev/null
+++ b/package/unbound/unbound.mk
@@ -0,0 +1,50 @@
+################################################################################
+#
+# unbound
+#
+################################################################################
+
+UNBOUND_VERSION = 1.6.7
+UNBOUND_SOURCE = unbound-$(UNBOUND_VERSION).tar.gz
+UNBOUND_SITE = https://www.unbound.net/downloads
+UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
+UNBOUND_LICENSE = BSD
+UNBOUND_LICENSE_FILES = LICENSE
+UNBOUND_CONF_OPTS += --disable-rpath \
+		     --disable-debug \
+		     --with-conf-file=/etc/unbound/unbound.conf \
+		     --with-pidfile=/var/run/unbound.pid \
+		     --with-rootkey-file=/etc/unbound/root.key \
+		     --enable-tfo-server \
+		     --enable-relro-now \
+		     --with-pic \
+		     --enable-pie
+
+# uClibc-ng does not have MSG_FASTOPEN
+# so TCP Fast Open client mode disabled for it
+ifeq ($(BR2_TOOLCHAIN_BUILDROOT_UCLIBC),y)
+UNBOUND_CONF_OPTS += --disable-tfo-client
+else
+UNBOUND_CONF_OPTS += --enable-tfo-client
+endif
+
+ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+UNBOUND_CONF_OPTS += --with-pthreads
+else
+UNBOUND_CONF_OPTS += --without-pthreads
+endif
+
+ifeq ($(BR2_GCC_ENABLE_LTO),y)
+UNBOUND_CONF_OPTS += --enable-flto
+else
+UNBOUND_CONF_OPTS += --disable-flto
+endif
+
+ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y)
+UNBOUND_CONF_OPTS += --enable-dnscrypt
+UNBOUND_DEPENDENCIES += libsodium
+else
+UNBOUND_CONF_OPTS += --disable-dnscrypt
+endif
+
+$(eval $(autotools-package))
-- 
2.13.6

[Buildroot] [PATCH 1/1] unbound: new package

[Bernd Kuhls]

Hi Stefan,

Am Fri, 12 Jan 2018 01:20:39 +0200 schrieb Stefan Fr?berg:

> diff --git a/package/unbound/Config.in b/package/unbound/Config.in
> new file mode 100644
> index 0000000000..07e4fa39f2
> --- /dev/null
> +++ b/package/unbound/Config.in
> @@ -0,0 +1,37 @@
> +config BR2_PACKAGE_UNBOUND
> +	bool "unbound"
> +	select BR2_PACKAGE_EXPAT
> +	select BR2_PACKAGE_LIBEVENT
> +	select BR2_PACKAGE_LIBSODIUM if BR2_PACKAGE_UNBOUND_DNSCRYPT

parts of this line should be moved inside
"config BR2_PACKAGE_UNBOUND_DNSCRYPT".

> +	depends on BR2_PACKAGE_OPENSSL

Why not "select BR2_PACKAGE_OPENSSL"?
Did you test with libressl as well?

> +	help
> +	  Unbound is a validating, recursive, and caching DNS resolver.
> +	  It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
> +	  DNSCrypt.
> +
> +	  https://www.unbound.net
> +
> +if BR2_PACKAGE_UNBOUND
> +
> +config BR2_PACKAGE_UNBOUND_DNSCRYPT
> +	bool "Enable DNSCrypt"

Add

> +	select BR2_PACKAGE_LIBSODIUM

here.

[...]

> diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
> new file mode 100644
> index 0000000000..3c6f4ac895
> --- /dev/null
> +++ b/package/unbound/unbound.mk
> @@ -0,0 +1,50 @@
> +################################################################################
> +#
> +# unbound
> +#
> +################################################################################
> +
> +UNBOUND_VERSION = 1.6.7
> +UNBOUND_SOURCE = unbound-$(UNBOUND_VERSION).tar.gz

the variable value contains the default, this line can therefore
be removed completely.

> +UNBOUND_SITE = https://www.unbound.net/downloads
> +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
> +UNBOUND_LICENSE = BSD

According to https://spdx.org/licenses/ the value "BSD" does not exist,
afaics the license is "BSD-3-Clause".

> +UNBOUND_LICENSE_FILES = LICENSE
> +UNBOUND_CONF_OPTS += --disable-rpath \
> +		     --disable-debug \
> +		     --with-conf-file=/etc/unbound/unbound.conf \
> +		     --with-pidfile=/var/run/unbound.pid \
> +		     --with-rootkey-file=/etc/unbound/root.key \
> +		     --enable-tfo-server \
> +		     --enable-relro-now \
> +		     --with-pic \
> +		     --enable-pie

Please add
		--with-ssl=$(STAGING_DIR)/usr \

to avoid

checking for SSL... configure: error: Cannot find the SSL libraries in
 /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr

Small nit: I do not like the idention used, how about something like this?
https://git.buildroot.net/buildroot/tree/package/kodi/kodi.mk#n59

> +# uClibc-ng does not have MSG_FASTOPEN
> +# so TCP Fast Open client mode disabled for it
> +ifeq ($(BR2_TOOLCHAIN_BUILDROOT_UCLIBC),y)
> +UNBOUND_CONF_OPTS += --disable-tfo-client
> +else
> +UNBOUND_CONF_OPTS += --enable-tfo-client
> +endif

An external uClibc toolchain does not define
BR2_TOOLCHAIN_BUILDROOT_UCLIBC:

$ grep UCLIBC .config
BR2_TOOLCHAIN_USES_UCLIBC=y
BR2_TOOLCHAIN_EXTERNAL_UCLIBC=y
BR2_TOOLCHAIN_EXTERNAL_CUSTOM_UCLIBC=y

Better check for BR2_TOOLCHAIN_USES_UCLIBC.

Regards, Bernd

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Fröberg]

Hi Bernd

Okay, I will send a new one soon.

Best Regards
Stefan

Bernd Kuhls kirjoitti 12.01.2018 klo 08:41:
> Hi Stefan,
>
> Am Fri, 12 Jan 2018 01:20:39 +0200 schrieb Stefan Fr?berg:
>
>> diff --git a/package/unbound/Config.in b/package/unbound/Config.in
>> new file mode 100644
>> index 0000000000..07e4fa39f2
>> --- /dev/null
>> +++ b/package/unbound/Config.in
>> @@ -0,0 +1,37 @@
>> +config BR2_PACKAGE_UNBOUND
>> +	bool "unbound"
>> +	select BR2_PACKAGE_EXPAT
>> +	select BR2_PACKAGE_LIBEVENT
>> +	select BR2_PACKAGE_LIBSODIUM if BR2_PACKAGE_UNBOUND_DNSCRYPT
> parts of this line should be moved inside
> "config BR2_PACKAGE_UNBOUND_DNSCRYPT".
>
>> +	depends on BR2_PACKAGE_OPENSSL
> Why not "select BR2_PACKAGE_OPENSSL"?
> Did you test with libressl as well?
>
>> +	help
>> +	  Unbound is a validating, recursive, and caching DNS resolver.
>> +	  It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
>> +	  DNSCrypt.
>> +
>> +	  https://www.unbound.net
>> +
>> +if BR2_PACKAGE_UNBOUND
>> +
>> +config BR2_PACKAGE_UNBOUND_DNSCRYPT
>> +	bool "Enable DNSCrypt"
> Add
>
>> +	select BR2_PACKAGE_LIBSODIUM
> here.
>
> [...]
>
>> diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
>> new file mode 100644
>> index 0000000000..3c6f4ac895
>> --- /dev/null
>> +++ b/package/unbound/unbound.mk
>> @@ -0,0 +1,50 @@
>> +################################################################################
>> +#
>> +# unbound
>> +#
>> +################################################################################
>> +
>> +UNBOUND_VERSION = 1.6.7
>> +UNBOUND_SOURCE = unbound-$(UNBOUND_VERSION).tar.gz
> the variable value contains the default, this line can therefore
> be removed completely.
>
>> +UNBOUND_SITE = https://www.unbound.net/downloads
>> +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
>> +UNBOUND_LICENSE = BSD
> According to https://spdx.org/licenses/ the value "BSD" does not exist,
> afaics the license is "BSD-3-Clause".
>
>> +UNBOUND_LICENSE_FILES = LICENSE
>> +UNBOUND_CONF_OPTS += --disable-rpath \
>> +		     --disable-debug \
>> +		     --with-conf-file=/etc/unbound/unbound.conf \
>> +		     --with-pidfile=/var/run/unbound.pid \
>> +		     --with-rootkey-file=/etc/unbound/root.key \
>> +		     --enable-tfo-server \
>> +		     --enable-relro-now \
>> +		     --with-pic \
>> +		     --enable-pie
> Please add
> 		--with-ssl=$(STAGING_DIR)/usr \
>
> to avoid
>
> checking for SSL... configure: error: Cannot find the SSL libraries in
>  /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr
>
> Small nit: I do not like the idention used, how about something like this?
> https://git.buildroot.net/buildroot/tree/package/kodi/kodi.mk#n59
>
>> +# uClibc-ng does not have MSG_FASTOPEN
>> +# so TCP Fast Open client mode disabled for it
>> +ifeq ($(BR2_TOOLCHAIN_BUILDROOT_UCLIBC),y)
>> +UNBOUND_CONF_OPTS += --disable-tfo-client
>> +else
>> +UNBOUND_CONF_OPTS += --enable-tfo-client
>> +endif
> An external uClibc toolchain does not define
> BR2_TOOLCHAIN_BUILDROOT_UCLIBC:
>
> $ grep UCLIBC .config
> BR2_TOOLCHAIN_USES_UCLIBC=y
> BR2_TOOLCHAIN_EXTERNAL_UCLIBC=y
> BR2_TOOLCHAIN_EXTERNAL_CUSTOM_UCLIBC=y
>
> Better check for BR2_TOOLCHAIN_USES_UCLIBC.
>
> Regards, Bernd
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Fröberg]

Oh, forgot ...


>> +	depends on BR2_PACKAGE_OPENSSL
> Why not "select BR2_PACKAGE_OPENSSL"?
> Did you test with libressl as well?
>

That cannot be select because it's a choise and if I remember buildroot
manual and
what Thomas said, you can't (or actually shouldn't) select from choice
unless
absolutely necessary (like, for example, in my turbovnc patch...have to
remember update that too...)

But I test with libressl too

Regards
Stefan

[Buildroot] [PATCH 1/1] unbound: new package

[Thomas Petazzoni]

Hello,

On Fri, 12 Jan 2018 12:45:06 +0200, Stefan Fr?berg wrote:

> > Why not "select BR2_PACKAGE_OPENSSL"?
> > Did you test with libressl as well?
> >  
> 
> That cannot be select because it's a choise and if I remember buildroot
> manual and
> what Thomas said, you can't (or actually shouldn't) select from choice
> unless
> absolutely necessary (like, for example, in my turbovnc patch...have to
> remember update that too...)

It is correct that regular virtual packages cannot be selected.

But openssl (like jpeg) is special, and you can select
BR2_PACKAGE_OPENSSL. BR2_PACKAGE_OPENSSL is not part of a choice.

The case of turbovnc is different: you wanted to select jpeg-turbo
specifically, which is one jpeg implementation. And this is not
possible.

See the difference ? BR2_PACKAGE_OPENSSL is the virtual package itself,
which has two implementations: libopenssl and libressl, selectable
through a choice.

BR2_PACKAGE_JPEG_TURBO is one implementation of the BR2_PACKAGE_JPEG
virtual package. Selecting BR2_PACKAGE_JPEG is OK (just like selecting
BR2_PACKAGE_OPENSSL is OK), but selecting BR2_PACKAGE_JPEG_TURBO
doesn't work.

So Bernd is totally correct: you should select BR2_PACKAGE_OPENSSL. See
how many packages are already doing this today :-)

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Fröberg]

Hi


Thomas Petazzoni kirjoitti 12.01.2018 klo 13:08:
> Hello,
>
> On Fri, 12 Jan 2018 12:45:06 +0200, Stefan Fr?berg wrote:
>
>>> Why not "select BR2_PACKAGE_OPENSSL"?
>>> Did you test with libressl as well?
>>>  
>> That cannot be select because it's a choise and if I remember buildroot
>> manual and
>> what Thomas said, you can't (or actually shouldn't) select from choice
>> unless
>> absolutely necessary (like, for example, in my turbovnc patch...have to
>> remember update that too...)
> It is correct that regular virtual packages cannot be selected.
>
> But openssl (like jpeg) is special, and you can select
> BR2_PACKAGE_OPENSSL. BR2_PACKAGE_OPENSSL is not part of a choice.
>
> The case of turbovnc is different: you wanted to select jpeg-turbo
> specifically, which is one jpeg implementation. And this is not
> possible.
>
> See the difference ? BR2_PACKAGE_OPENSSL is the virtual package itself,
> which has two implementations: libopenssl and libressl, selectable
> through a choice.
>
> BR2_PACKAGE_JPEG_TURBO is one implementation of the BR2_PACKAGE_JPEG
> virtual package. Selecting BR2_PACKAGE_JPEG is OK (just like selecting
> BR2_PACKAGE_OPENSSL is OK), but selecting BR2_PACKAGE_JPEG_TURBO
> doesn't work.
>
>

Ah, okay.

But Thomas, I can't use BR2_PACKAGE_JPEG for turbovnc because it uses
specific ABI (the so called TurboJPEG ABI)
from libjpeg-turbo package and vanilla jpeg does not provide it.

https://libjpeg-turbo.org/About/TurboJPEG

At least, *if* I remember correctly, turbovnc nagged something about
missing function when I tried to compile against vanilla jpeg.

Regards
Stefan

[Buildroot] [PATCH 1/1] unbound: new package

[Thomas Petazzoni]

Hello,

On Fri, 12 Jan 2018 16:00:27 +0200, Stefan Fr?berg wrote:

> But Thomas, I can't use BR2_PACKAGE_JPEG for turbovnc because it uses
> specific ABI (the so called TurboJPEG ABI)
> from libjpeg-turbo package and vanilla jpeg does not provide it.
> 
> https://libjpeg-turbo.org/About/TurboJPEG
> 
> At least, *if* I remember correctly, turbovnc nagged something about
> missing function when I tried to compile against vanilla jpeg.

Yes, sure, I do remember this perfectly well. turbo-jpeg is kind of an
exception, because it is API compatible with jpeg (so it is logical for
it to be supported in Buildroot as a provider of the jpeg API), but it
also provides its own custom API.

With the current state of things, I believe there is indeed no other
choice for TurboVNC but to use a "depends on BR2_PACKAGE_TURBO_JPEG".
Didn't we already reached this conclusion during the TurboVNC
discussion ?

I know I originally complained against this "depends on", but once
justified with the fact that TurboVNC really only works with
jpeg-turbo's specific API, I'd be OK with using this "depends on".

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Fröberg]

Hi

Thomas Petazzoni kirjoitti 12.01.2018 klo 17:23:
> Hello,
>
> On Fri, 12 Jan 2018 16:00:27 +0200, Stefan Fr?berg wrote:
>
>> But Thomas, I can't use BR2_PACKAGE_JPEG for turbovnc because it uses
>> specific ABI (the so called TurboJPEG ABI)
>> from libjpeg-turbo package and vanilla jpeg does not provide it.
>>
>> https://libjpeg-turbo.org/About/TurboJPEG
>>
>> At least, *if* I remember correctly, turbovnc nagged something about
>> missing function when I tried to compile against vanilla jpeg.
> Yes, sure, I do remember this perfectly well. turbo-jpeg is kind of an
> exception, because it is API compatible with jpeg (so it is logical for
> it to be supported in Buildroot as a provider of the jpeg API), but it
> also provides its own custom API.
>
> With the current state of things, I believe there is indeed no other
> choice for TurboVNC but to use a "depends on BR2_PACKAGE_TURBO_JPEG".
> Didn't we already reached this conclusion during the TurboVNC
> discussion ?

Could be, I have so lousy memory nowadays ...

>
> I know I originally complained against this "depends on", but once
> justified with the fact that TurboVNC really only works with
> jpeg-turbo's specific API, I'd be OK with using this "depends on".
>
>

Thanks T :-)

Regards

-S-

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Ott]

Hi Yann

On Sat, Mar 21, 2020 at 01:37:08PM +0100, Yann E. MORIN wrote:
> 
> In addition to the review by Yegor and Thomas, and as discussed on IRC
> the other day: unbound at least requires threads, probably even NPTL.

I investigated a bit and while it doesn't strictly require pthreads
(i.e., there is an option to compile it without them), if pthreads are
enabled it *does* required NPTL.

A new patch that adjusts the build script accordingly should be ready
later tonight.


Kind regards
-- 
Stefan Ott
https://www.ott.net/

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Ott]

Hi Yegor

Thanks for your feedback.

On Sat, Mar 21, 2020 at 07:42:39AM +0100, Yegor Yefremov wrote:
> >
> > +config BR2_PACKAGE_UNBOUND
> > +       bool "unbound"
> > +       select BR2_PACKAGE_EXPAT
> > +       select BR2_PACKAGE_LIBEVENT
> > +       select BR2_PACKAGE_OPENSSL
> > +       help
> > +               Unbound is a validating, recursive, and caching DNS resolver.
> > +               It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
> > +               DNSCrypt.
> > +
> > +               https://www.unbound.net
> 
> Looks like you have two tabs instead of one tab and two spaces.
> 
> > +if BR2_PACKAGE_UNBOUND
> > +       config BR2_PACKAGE_UNBOUND_DNSCRYPT
> > +       bool "Enable DNSCrypt"
> > +       select BR2_PACKAGE_LIBSODIUM
> > +       help
> > +               DNSCrypt wraps unmodified DNS queries between a client and
> > +               a DNS resolver. Default port used is 443 and like with
> > +               normal unencrypted DNS, it uses UDP first and falling back
> > +               to TCP if response too large.
> > +
> > +               There is also DNS-over-TLS, a TCP only version
> > +               of proposed standard for DNS encryption (RFC 7858).
> > +               Default port for DNS-over-TLS is 853 and Unbound has
> > +               built-in support for it.
> > +
> > +               https://tools.ietf.org/html/rfc7858
> > +
> > +               Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
> > +               Here is some suggestions how to handle SNI encryption:
> > +
> > +               https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
> 
> same here.

Ah yes, I had missed that in the manual. Patch v2 should be with the
proper indentation, thanks for pointing it out.


-- 
Stefan Ott
https://www.ott.net/

[Buildroot] [PATCH 1/1] unbound: new package

[Yann E. MORIN]

Stefan, All,

On 2020-03-21 01:57 +0100, Stefan Ott spake thusly:
> Unbound: validating, recursive & caching DNS resolver with
> DNSSEC, QNAME minimisation, DNSCrypt and DNS-over-TLS support.
> 
> Patch based on an earlier patch by Stefan Fr?berg
> 
> Signed-off-by: Stefan Ott <stefan@ott.net>

In addition to the review by Yegor and Thomas, and as discussed on IRC
the other day: unbound at least requires threads, probably even NPTL.

Regards,
Yann E. MORIN.

> ---
>  DEVELOPERS                   |  3 ++
>  package/Config.in            |  1 +
>  package/unbound/Config.in    | 35 ++++++++++++++++++++++
>  package/unbound/S70unbound   | 26 ++++++++++++++++
>  package/unbound/unbound.hash |  3 ++
>  package/unbound/unbound.mk   | 57 ++++++++++++++++++++++++++++++++++++
>  6 files changed, 125 insertions(+)
>  create mode 100644 package/unbound/Config.in
>  create mode 100755 package/unbound/S70unbound
>  create mode 100644 package/unbound/unbound.hash
>  create mode 100644 package/unbound/unbound.mk
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 8c736efcca..c5790c2a18 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2338,6 +2338,9 @@ F:	package/libvpx/
>  F:	package/mesa3d-demos/
>  F:	package/ti-gfx/
>  
> +N:	Stefan Ott <stefan@ott.net>
> +F:	package/unbound/
> +
>  N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
>  F:	package/cracklib/
>  F:	package/libpwquality/
> diff --git a/package/Config.in b/package/Config.in
> index cba756d9f1..ff9df32476 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2193,6 +2193,7 @@ endif
>  	source "package/uftp/Config.in"
>  	source "package/uhttpd/Config.in"
>  	source "package/ulogd/Config.in"
> +	source "package/unbound/Config.in"
>  	source "package/ushare/Config.in"
>  	source "package/ussp-push/Config.in"
>  	source "package/vde2/Config.in"
> diff --git a/package/unbound/Config.in b/package/unbound/Config.in
> new file mode 100644
> index 0000000000..3533164c03
> --- /dev/null
> +++ b/package/unbound/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_UNBOUND
> +	bool "unbound"
> +	select BR2_PACKAGE_EXPAT
> +	select BR2_PACKAGE_LIBEVENT
> +	select BR2_PACKAGE_OPENSSL
> +	help
> +		Unbound is a validating, recursive, and caching DNS resolver.
> +		It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
> +		DNSCrypt.
> +
> +		https://www.unbound.net
> +
> +if BR2_PACKAGE_UNBOUND
> +	config BR2_PACKAGE_UNBOUND_DNSCRYPT
> +	bool "Enable DNSCrypt"
> +	select BR2_PACKAGE_LIBSODIUM
> +	help
> +		DNSCrypt wraps unmodified DNS queries between a client and
> +		a DNS resolver. Default port used is 443 and like with
> +		normal unencrypted DNS, it uses UDP first and falling back
> +		to TCP if response too large.
> +
> +		There is also DNS-over-TLS, a TCP only version
> +		of proposed standard for DNS encryption (RFC 7858).
> +		Default port for DNS-over-TLS is 853 and Unbound has
> +		built-in support for it.
> +
> +		https://tools.ietf.org/html/rfc7858
> +
> +		Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
> +		Here is some suggestions how to handle SNI encryption:
> +
> +		https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
> +
> +endif
> diff --git a/package/unbound/S70unbound b/package/unbound/S70unbound
> new file mode 100755
> index 0000000000..5079f4121f
> --- /dev/null
> +++ b/package/unbound/S70unbound
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +
> +[ -f /etc/unbound/unbound.conf ] || exit 0
> +
> +case "$1" in
> +	start)
> +		printf "Starting unbound DNS server: "
> +		start-stop-daemon -S -x /usr/sbin/unbound
> +		[ $? = 0 ] && echo "OK" || echo "FAIL"
> +		;;
> +	stop)
> +		printf "Stopping unbound DNS server: "
> +		start-stop-daemon -K -q -x /usr/sbin/unbound
> +		[ $? = 0 ] && echo "OK" || echo "FAIL"
> +		;;
> +	restart|reload)
> +		$0 stop
> +		sleep 1
> +		$0 start
> +		;;
> +	*)
> +		echo "Usage: $0 {start|stop|restart}"
> +		exit 1
> +esac
> +
> +exit 0
> diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash
> new file mode 100644
> index 0000000000..11626d0b6f
> --- /dev/null
> +++ b/package/unbound/unbound.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256 152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955  unbound-1.10.0.tar.gz
> +sha256 8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db  LICENSE
> diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
> new file mode 100644
> index 0000000000..81a620c170
> --- /dev/null
> +++ b/package/unbound/unbound.mk
> @@ -0,0 +1,57 @@
> +################################################################################
> +#
> +# unbound
> +#
> +################################################################################
> +
> +UNBOUND_VERSION = 1.10.0
> +UNBOUND_SITE = https://www.unbound.net/downloads
> +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
> +UNBOUND_LICENSE = BSD-3-Clause
> +UNBOUND_LICENSE_FILES = LICENSE
> +UNBOUND_CONF_OPTS += \
> +	--disable-rpath \
> +	--disable-debug \
> +	--with-conf-file=/etc/unbound/unbound.conf \
> +	--with-pidfile=/var/run/unbound.pid \
> +	--with-rootkey-file=/etc/unbound/root.key \
> +	--enable-tfo-server \
> +	--enable-relro-now \
> +	--with-pic \
> +	--enable-pie \
> +	--with-ssl=$(STAGING_DIR)/usr
> +
> +# uClibc-ng does not have MSG_FASTOPEN
> +# so TCP Fast Open client mode disabled for it
> +ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
> +UNBOUND_CONF_OPTS += --disable-tfo-client
> +else
> +UNBOUND_CONF_OPTS += --enable-tfo-client
> +endif
> +
> +ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> +UNBOUND_CONF_OPTS += --with-pthreads
> +else
> +UNBOUND_CONF_OPTS += --without-pthreads
> +endif
> +
> +ifeq ($(BR2_GCC_ENABLE_LTO),y)
> +UNBOUND_CONF_OPTS += --enable-flto
> +else
> +UNBOUND_CONF_OPTS += --disable-flto
> +endif
> +
> +ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y)
> +UNBOUND_CONF_OPTS += --enable-dnscrypt
> +UNBOUND_DEPENDENCIES += libsodium
> +else
> +UNBOUND_CONF_OPTS += --disable-dnscrypt
> +endif
> +
> +define UNBOUND_INSTALL_INIT_SYSV
> +	$(INSTALL) -D -m 755 package/unbound/S70unbound \
> +		$(TARGET_DIR)/etc/init.d/S70unbound
> +endef
> +
> +$(eval $(autotools-package))
> +
> -- 
> 2.25.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 1/1] unbound: new package

[Thomas Petazzoni]

Hello Stefan,

Thanks for your patch, here are some more comments, on top of what
Yegor already reported.

On Sat, 21 Mar 2020 01:57:06 +0100
Stefan Ott <stefan@ott.net> wrote:

> diff --git a/package/unbound/Config.in b/package/unbound/Config.in
> new file mode 100644
> index 0000000000..3533164c03
> --- /dev/null
> +++ b/package/unbound/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_UNBOUND
> +	bool "unbound"
> +	select BR2_PACKAGE_EXPAT
> +	select BR2_PACKAGE_LIBEVENT
> +	select BR2_PACKAGE_OPENSSL
> +	help
> +		Unbound is a validating, recursive, and caching DNS resolver.
> +		It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
> +		DNSCrypt.
> +
> +		https://www.unbound.net
> +
> +if BR2_PACKAGE_UNBOUND
> +	config BR2_PACKAGE_UNBOUND_DNSCRYPT
> +	bool "Enable DNSCrypt"
> +	select BR2_PACKAGE_LIBSODIUM
> +	help

Sub-options should not be indented. Also, we normally don't capitalize
options, so "enable DNSCrypt" would be more appropriate here.

Side note: it is "interesting" to see that unbound unconditionally uses
one crypto library (openssl), and then requires another crypto library
(libsodium) for dnscrypt support. Kind of strange.

> diff --git a/package/unbound/S70unbound b/package/unbound/S70unbound
> new file mode 100755
> index 0000000000..5079f4121f
> --- /dev/null
> +++ b/package/unbound/S70unbound

Could you rework your init script to be modeled after the template in
package/busybox/S01syslogd ? We are trying to unify our init scripts so
that they are as similar as possible to each other.


> diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
> new file mode 100644
> index 0000000000..81a620c170
> --- /dev/null
> +++ b/package/unbound/unbound.mk
> @@ -0,0 +1,57 @@
> +################################################################################
> +#
> +# unbound
> +#
> +################################################################################
> +
> +UNBOUND_VERSION = 1.10.0
> +UNBOUND_SITE = https://www.unbound.net/downloads
> +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
> +UNBOUND_LICENSE = BSD-3-Clause
> +UNBOUND_LICENSE_FILES = LICENSE
> +UNBOUND_CONF_OPTS += \

The += here can be just =

> +	--disable-rpath \
> +	--disable-debug \
> +	--with-conf-file=/etc/unbound/unbound.conf \
> +	--with-pidfile=/var/run/unbound.pid \
> +	--with-rootkey-file=/etc/unbound/root.key \
> +	--enable-tfo-server \
> +	--enable-relro-now \

relro-now support is enabled system-wide using BR2_RELRO_PARTIAL /
BR2_RELRO_FULL, so individual packages should not enable it.

> +	--with-pic \
> +	--enable-pie \

Are these needed ?

Otherwise, looks good. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/1] unbound: new package

[Yegor Yefremov]

Hi Stefan,

On Sat, Mar 21, 2020 at 1:57 AM Stefan Ott <stefan@ott.net> wrote:
>
> Unbound: validating, recursive & caching DNS resolver with
> DNSSEC, QNAME minimisation, DNSCrypt and DNS-over-TLS support.
>
> Patch based on an earlier patch by Stefan Fr?berg
>
> Signed-off-by: Stefan Ott <stefan@ott.net>
> ---
>  DEVELOPERS                   |  3 ++
>  package/Config.in            |  1 +
>  package/unbound/Config.in    | 35 ++++++++++++++++++++++
>  package/unbound/S70unbound   | 26 ++++++++++++++++
>  package/unbound/unbound.hash |  3 ++
>  package/unbound/unbound.mk   | 57 ++++++++++++++++++++++++++++++++++++
>  6 files changed, 125 insertions(+)
>  create mode 100644 package/unbound/Config.in
>  create mode 100755 package/unbound/S70unbound
>  create mode 100644 package/unbound/unbound.hash
>  create mode 100644 package/unbound/unbound.mk
>
> diff --git a/DEVELOPERS b/DEVELOPERS
> index 8c736efcca..c5790c2a18 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2338,6 +2338,9 @@ F:        package/libvpx/
>  F:     package/mesa3d-demos/
>  F:     package/ti-gfx/
>
> +N:     Stefan Ott <stefan@ott.net>
> +F:     package/unbound/
> +
>  N:     Stefan S?rensen <stefan.sorensen@spectralink.com>
>  F:     package/cracklib/
>  F:     package/libpwquality/
> diff --git a/package/Config.in b/package/Config.in
> index cba756d9f1..ff9df32476 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -2193,6 +2193,7 @@ endif
>         source "package/uftp/Config.in"
>         source "package/uhttpd/Config.in"
>         source "package/ulogd/Config.in"
> +       source "package/unbound/Config.in"
>         source "package/ushare/Config.in"
>         source "package/ussp-push/Config.in"
>         source "package/vde2/Config.in"
> diff --git a/package/unbound/Config.in b/package/unbound/Config.in
> new file mode 100644
> index 0000000000..3533164c03
> --- /dev/null
> +++ b/package/unbound/Config.in
> @@ -0,0 +1,35 @@
> +config BR2_PACKAGE_UNBOUND
> +       bool "unbound"
> +       select BR2_PACKAGE_EXPAT
> +       select BR2_PACKAGE_LIBEVENT
> +       select BR2_PACKAGE_OPENSSL
> +       help
> +               Unbound is a validating, recursive, and caching DNS resolver.
> +               It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
> +               DNSCrypt.
> +
> +               https://www.unbound.net

Looks like you have two tabs instead of one tab and two spaces.

> +
> +if BR2_PACKAGE_UNBOUND
> +       config BR2_PACKAGE_UNBOUND_DNSCRYPT
> +       bool "Enable DNSCrypt"
> +       select BR2_PACKAGE_LIBSODIUM
> +       help
> +               DNSCrypt wraps unmodified DNS queries between a client and
> +               a DNS resolver. Default port used is 443 and like with
> +               normal unencrypted DNS, it uses UDP first and falling back
> +               to TCP if response too large.
> +
> +               There is also DNS-over-TLS, a TCP only version
> +               of proposed standard for DNS encryption (RFC 7858).
> +               Default port for DNS-over-TLS is 853 and Unbound has
> +               built-in support for it.
> +
> +               https://tools.ietf.org/html/rfc7858
> +
> +               Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
> +               Here is some suggestions how to handle SNI encryption:
> +
> +               https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00

same here.

Yegor

> +
> +endif
> diff --git a/package/unbound/S70unbound b/package/unbound/S70unbound
> new file mode 100755
> index 0000000000..5079f4121f
> --- /dev/null
> +++ b/package/unbound/S70unbound
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +
> +[ -f /etc/unbound/unbound.conf ] || exit 0
> +
> +case "$1" in
> +       start)
> +               printf "Starting unbound DNS server: "
> +               start-stop-daemon -S -x /usr/sbin/unbound
> +               [ $? = 0 ] && echo "OK" || echo "FAIL"
> +               ;;
> +       stop)
> +               printf "Stopping unbound DNS server: "
> +               start-stop-daemon -K -q -x /usr/sbin/unbound
> +               [ $? = 0 ] && echo "OK" || echo "FAIL"
> +               ;;
> +       restart|reload)
> +               $0 stop
> +               sleep 1
> +               $0 start
> +               ;;
> +       *)
> +               echo "Usage: $0 {start|stop|restart}"
> +               exit 1
> +esac
> +
> +exit 0
> diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash
> new file mode 100644
> index 0000000000..11626d0b6f
> --- /dev/null
> +++ b/package/unbound/unbound.hash
> @@ -0,0 +1,3 @@
> +# Locally calculated
> +sha256 152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955  unbound-1.10.0.tar.gz
> +sha256 8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db  LICENSE
> diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
> new file mode 100644
> index 0000000000..81a620c170
> --- /dev/null
> +++ b/package/unbound/unbound.mk
> @@ -0,0 +1,57 @@
> +################################################################################
> +#
> +# unbound
> +#
> +################################################################################
> +
> +UNBOUND_VERSION = 1.10.0
> +UNBOUND_SITE = https://www.unbound.net/downloads
> +UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
> +UNBOUND_LICENSE = BSD-3-Clause
> +UNBOUND_LICENSE_FILES = LICENSE
> +UNBOUND_CONF_OPTS += \
> +       --disable-rpath \
> +       --disable-debug \
> +       --with-conf-file=/etc/unbound/unbound.conf \
> +       --with-pidfile=/var/run/unbound.pid \
> +       --with-rootkey-file=/etc/unbound/root.key \
> +       --enable-tfo-server \
> +       --enable-relro-now \
> +       --with-pic \
> +       --enable-pie \
> +       --with-ssl=$(STAGING_DIR)/usr
> +
> +# uClibc-ng does not have MSG_FASTOPEN
> +# so TCP Fast Open client mode disabled for it
> +ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
> +UNBOUND_CONF_OPTS += --disable-tfo-client
> +else
> +UNBOUND_CONF_OPTS += --enable-tfo-client
> +endif
> +
> +ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
> +UNBOUND_CONF_OPTS += --with-pthreads
> +else
> +UNBOUND_CONF_OPTS += --without-pthreads
> +endif
> +
> +ifeq ($(BR2_GCC_ENABLE_LTO),y)
> +UNBOUND_CONF_OPTS += --enable-flto
> +else
> +UNBOUND_CONF_OPTS += --disable-flto
> +endif
> +
> +ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y)
> +UNBOUND_CONF_OPTS += --enable-dnscrypt
> +UNBOUND_DEPENDENCIES += libsodium
> +else
> +UNBOUND_CONF_OPTS += --disable-dnscrypt
> +endif
> +
> +define UNBOUND_INSTALL_INIT_SYSV
> +       $(INSTALL) -D -m 755 package/unbound/S70unbound \
> +               $(TARGET_DIR)/etc/init.d/S70unbound
> +endef
> +
> +$(eval $(autotools-package))
> +
> --
> 2.25.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

[Buildroot] [PATCH 1/1] unbound: new package

[Stefan Ott]

Unbound: validating, recursive & caching DNS resolver with
DNSSEC, QNAME minimisation, DNSCrypt and DNS-over-TLS support.

Patch based on an earlier patch by Stefan Fr?berg

Signed-off-by: Stefan Ott <stefan@ott.net>
---
 DEVELOPERS                   |  3 ++
 package/Config.in            |  1 +
 package/unbound/Config.in    | 35 ++++++++++++++++++++++
 package/unbound/S70unbound   | 26 ++++++++++++++++
 package/unbound/unbound.hash |  3 ++
 package/unbound/unbound.mk   | 57 ++++++++++++++++++++++++++++++++++++
 6 files changed, 125 insertions(+)
 create mode 100644 package/unbound/Config.in
 create mode 100755 package/unbound/S70unbound
 create mode 100644 package/unbound/unbound.hash
 create mode 100644 package/unbound/unbound.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 8c736efcca..c5790c2a18 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2338,6 +2338,9 @@ F:	package/libvpx/
 F:	package/mesa3d-demos/
 F:	package/ti-gfx/
 
+N:	Stefan Ott <stefan@ott.net>
+F:	package/unbound/
+
 N:	Stefan S?rensen <stefan.sorensen@spectralink.com>
 F:	package/cracklib/
 F:	package/libpwquality/
diff --git a/package/Config.in b/package/Config.in
index cba756d9f1..ff9df32476 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2193,6 +2193,7 @@ endif
 	source "package/uftp/Config.in"
 	source "package/uhttpd/Config.in"
 	source "package/ulogd/Config.in"
+	source "package/unbound/Config.in"
 	source "package/ushare/Config.in"
 	source "package/ussp-push/Config.in"
 	source "package/vde2/Config.in"
diff --git a/package/unbound/Config.in b/package/unbound/Config.in
new file mode 100644
index 0000000000..3533164c03
--- /dev/null
+++ b/package/unbound/Config.in
@@ -0,0 +1,35 @@
+config BR2_PACKAGE_UNBOUND
+	bool "unbound"
+	select BR2_PACKAGE_EXPAT
+	select BR2_PACKAGE_LIBEVENT
+	select BR2_PACKAGE_OPENSSL
+	help
+		Unbound is a validating, recursive, and caching DNS resolver.
+		It supports DNSSEC, QNAME minimisation, DNS-over-TLS and
+		DNSCrypt.
+
+		https://www.unbound.net
+
+if BR2_PACKAGE_UNBOUND
+	config BR2_PACKAGE_UNBOUND_DNSCRYPT
+	bool "Enable DNSCrypt"
+	select BR2_PACKAGE_LIBSODIUM
+	help
+		DNSCrypt wraps unmodified DNS queries between a client and
+		a DNS resolver. Default port used is 443 and like with
+		normal unencrypted DNS, it uses UDP first and falling back
+		to TCP if response too large.
+
+		There is also DNS-over-TLS, a TCP only version
+		of proposed standard for DNS encryption (RFC 7858).
+		Default port for DNS-over-TLS is 853 and Unbound has
+		built-in support for it.
+
+		https://tools.ietf.org/html/rfc7858
+
+		Note: Neither DNSCrypt or DNS-over-TLS encrypt the SNI.
+		Here is some suggestions how to handle SNI encryption:
+
+		https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-00
+
+endif
diff --git a/package/unbound/S70unbound b/package/unbound/S70unbound
new file mode 100755
index 0000000000..5079f4121f
--- /dev/null
+++ b/package/unbound/S70unbound
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+[ -f /etc/unbound/unbound.conf ] || exit 0
+
+case "$1" in
+	start)
+		printf "Starting unbound DNS server: "
+		start-stop-daemon -S -x /usr/sbin/unbound
+		[ $? = 0 ] && echo "OK" || echo "FAIL"
+		;;
+	stop)
+		printf "Stopping unbound DNS server: "
+		start-stop-daemon -K -q -x /usr/sbin/unbound
+		[ $? = 0 ] && echo "OK" || echo "FAIL"
+		;;
+	restart|reload)
+		$0 stop
+		sleep 1
+		$0 start
+		;;
+	*)
+		echo "Usage: $0 {start|stop|restart}"
+		exit 1
+esac
+
+exit 0
diff --git a/package/unbound/unbound.hash b/package/unbound/unbound.hash
new file mode 100644
index 0000000000..11626d0b6f
--- /dev/null
+++ b/package/unbound/unbound.hash
@@ -0,0 +1,3 @@
+# Locally calculated
+sha256 152f486578242fe5c36e89995d0440b78d64c05123990aae16246b7f776ce955  unbound-1.10.0.tar.gz
+sha256 8eb9a16cbfb8703090bbfa3a2028fd46bb351509a2f90dc1001e51fbe6fd45db  LICENSE
diff --git a/package/unbound/unbound.mk b/package/unbound/unbound.mk
new file mode 100644
index 0000000000..81a620c170
--- /dev/null
+++ b/package/unbound/unbound.mk
@@ -0,0 +1,57 @@
+################################################################################
+#
+# unbound
+#
+################################################################################
+
+UNBOUND_VERSION = 1.10.0
+UNBOUND_SITE = https://www.unbound.net/downloads
+UNBOUND_DEPENDENCIES = host-pkgconf expat libevent openssl
+UNBOUND_LICENSE = BSD-3-Clause
+UNBOUND_LICENSE_FILES = LICENSE
+UNBOUND_CONF_OPTS += \
+	--disable-rpath \
+	--disable-debug \
+	--with-conf-file=/etc/unbound/unbound.conf \
+	--with-pidfile=/var/run/unbound.pid \
+	--with-rootkey-file=/etc/unbound/root.key \
+	--enable-tfo-server \
+	--enable-relro-now \
+	--with-pic \
+	--enable-pie \
+	--with-ssl=$(STAGING_DIR)/usr
+
+# uClibc-ng does not have MSG_FASTOPEN
+# so TCP Fast Open client mode disabled for it
+ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
+UNBOUND_CONF_OPTS += --disable-tfo-client
+else
+UNBOUND_CONF_OPTS += --enable-tfo-client
+endif
+
+ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+UNBOUND_CONF_OPTS += --with-pthreads
+else
+UNBOUND_CONF_OPTS += --without-pthreads
+endif
+
+ifeq ($(BR2_GCC_ENABLE_LTO),y)
+UNBOUND_CONF_OPTS += --enable-flto
+else
+UNBOUND_CONF_OPTS += --disable-flto
+endif
+
+ifeq ($(BR2_PACKAGE_UNBOUND_DNSCRYPT),y)
+UNBOUND_CONF_OPTS += --enable-dnscrypt
+UNBOUND_DEPENDENCIES += libsodium
+else
+UNBOUND_CONF_OPTS += --disable-dnscrypt
+endif
+
+define UNBOUND_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 755 package/unbound/S70unbound \
+		$(TARGET_DIR)/etc/init.d/S70unbound
+endef
+
+$(eval $(autotools-package))
+
-- 
2.25.2