diff --git a/net/unbound/Makefile b/net/unbound/Makefile
index f88c44f3ad..0b14eddaa9 100644
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound
PKG_VERSION:=1.22.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nlnetlabs.nl/downloads/unbound
diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md
index 825a071094..d35935c558 100644
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@@ -208,6 +208,7 @@ One instance is supported currently.
| dns64_prefix | 64:ff9b::/96 | subnet | DNS64 RFC6052 IPv4 in IPv6 well known prefix. | dns64-prefix: |
| dhcp_link | none | program | Link to a DHCP server with supported scripts. See HOW TO above. | local-zone: local-data: forward-zone: |
| dhcp4_slaac6 | 0 | boolean | Infer SLAAC IE64 IPv6 addresses from DHCPv4 MAC in DHCP link scripts. | - |
+| exclude_ipv6_ga | 0 | boolean | If exclude IPv6 global addresses from local data. | local-data: |
| domain | lan | domain | This will suffix DHCP host records and be the default search domain. | local-zone: |
| domain_insecure | (empty) | domain | **List** domains that you wish to skip DNSSEC. It is one way around NTP chicken and egg. Your DHCP domains are automatically included. | domain-insecure: |
| domain_type | static | state | This allows you to lock down or allow forwarding of the local zone.
`static`: no forwarding like dnsmasq default
`refuse`: answer overtly with REFUSED
`deny`: covertly drop all queries
`transparent`: may continue forwarding or recusion | local-zone: |
diff --git a/net/unbound/files/odhcpd.awk b/net/unbound/files/odhcpd.awk
index 7aea8e7c17..5214500f78 100644
--- a/net/unbound/files/odhcpd.awk
+++ b/net/unbound/files/odhcpd.awk
@@ -24,6 +24,7 @@
# "bslaac" = boolean, use DHCPv4 MAC to find GA and ULA IPV6 SLAAC
# "bisolt" = boolean, format ... so you can isolate
# "bconf" = boolean, write conf file with pipe records
+# "exclude_ipv6_ga" = boolean, exclude IPv6 GA addresses from local-data
#
##############################################################################
@@ -38,16 +39,14 @@
sub( /.*\//, "", cdr2 ) ;
gsub( /_/, "-", hst ) ;
-
if ( hst !~ /^[[:alnum:]]([-[:alnum:]]*[[:alnum:]])?$/ ) {
# that is not a valid host name (RFC1123)
# above replaced common error of "_" in host name with "-"
hst = "-" ;
}
-
if ( bisolt == 1 ) {
- # TODO: this might be better with a substituion option,
+ # TODO: this might be better with a substitution option,
# or per DHCP pool do-not-DNS option, but its getting busy here.
fqdn = net
gsub( /\./, "-", fqdn ) ;
@@ -58,56 +57,52 @@
fqdn = tolower( hst "." domain ) ;
}
-
if ((cls == "ipv4") && (hst != "-") && (cdr == 32) && (NF == 9)) {
# IPV4 ; only for provided hostnames and full /32 assignments
# NF=9 ; odhcpd errata in field format without host name
ptr = adr ; qpr = "" ; split( ptr, ptrarr, "." ) ;
slaac = slaac_eui64( id ) ;
-
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN A " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
print ( x "\n" y "\n" ) > conffile ;
}
-
# always create the pipe file
for( i=1; i<=4; i++ ) { qpr = ( ptrarr[i] "." qpr) ; }
x = ( fqdn ". 300 IN A " adr ) ;
y = ( qpr "in-addr.arpa. 300 IN PTR " fqdn ) ;
print ( x "\n" y ) > pipefile ;
-
if (( bslaac == 1 ) && ( slaac != 0 )) {
# UCI option to discover IPV6 routed SLAAC addresses
# NOT TODO - ping probe take too long when added in awk-rule loop
cmd = ( "ip -6 --oneline route show dev " net ) ;
-
while ( ( cmd | getline adr ) > 0 ) {
if (( substr( adr, 1, 5 ) <= "fdff:" ) \
&& ( index( adr, "::/" ) != 0 ) \
&& ( index( adr, "anycast" ) == 0 ) \
&& ( index( adr, "via" ) == 0 )) {
- # GA or ULA routed addresses only (not LL or MC)
+ if ( exclude_ipv6_ga == 1 && ipv6_in_range(adr) ) {
+ printf "Excluding GA IPv6 address: %s for %s\n", \
+ adr, fqdn | "logger -t unbound-odhcpd"
+ continue
+ }
sub( /\/.*/, "", adr ) ;
adr = ( adr slaac ) ;
-
if ( split( adr, tmp0, ":" ) > 8 ) {
sub( "::", ":", adr ) ;
}
-
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
print ( x "\n" y "\n" ) > conffile ;
}
-
# always create the pipe file
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 300 IN AAAA " adr ) ;
@@ -116,41 +111,50 @@
}
}
-
close( cmd ) ;
}
}
else if ((cls != "ipv4") && (hst != "-") && (9 <= NF) && (NF <= 10)) {
if (cdr == 128) {
+ if ( exclude_ipv6_ga == 1 && ipv6_in_range(adr) ) {
+ printf "Excluding GA IPv6 address: %s for %s\n", \
+ adr, fqdn | "logger -t unbound-odhcpd"
+ }
+ else {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr "\"" ) ;
y = ( "local-data-ptr: \"" adr " 300 " fqdn "\"" ) ;
print ( x "\n" y "\n" ) > conffile ;
}
-
# only for provided hostnames and full /128 assignments
qpr = ipv6_ptr( adr ) ;
x = ( fqdn ". 300 IN AAAA " adr ) ;
y = ( qpr ". 300 IN PTR " fqdn ) ;
print ( x "\n" y ) > pipefile ;
}
+ }
if (cdr2 == 128) {
+ if ( exclude_ipv6_ga == 1 && ipv6_in_range(adr2) ) {
+ printf "Excluding GA IPv6 address: %s for %s\n", \
+ adr2, fqdn | "logger -t unbound-odhcpd"
+ }
+ else {
if ( bconf == 1 ) {
x = ( "local-data: \"" fqdn ". 300 IN AAAA " adr2 "\"" ) ;
y = ( "local-data-ptr: \"" adr2 " 300 " fqdn "\"" ) ;
print ( x "\n" y "\n" ) > conffile ;
}
-
# odhcp puts GA and ULA on the same line (position 9 and 10)
qpr2 = ipv6_ptr( adr2 ) ;
x = ( fqdn ". 300 IN AAAA " adr2 ) ;
y = ( qpr2 ". 300 IN PTR " fqdn ) ;
print ( x "\n" y ) > pipefile ;
}
+ }
}
else {
@@ -164,7 +168,6 @@ function ipv6_ptr( ipv6, arpa, ary, end, m, n, new6, sz, start ) {
# IPV6 colon flexibility is a challenge when creating [ptr].ip6.arpa.
sz = split( ipv6, ary, ":" ) ; end = 9 - sz ;
-
for( m=1; m<=sz; m++ ) {
if( length(ary[m]) == 0 ) {
for( n=1; n<=end; n++ ) { ary[m] = ( ary[m] "0000" ) ; }
@@ -175,7 +178,6 @@ function ipv6_ptr( ipv6, arpa, ary, end, m, n, new6, sz, start ) {
}
}
-
new6 = ary[1] ;
for( m = 2; m <= sz; m++ ) { new6 = ( new6 ary[m] ) ; }
start = length( new6 ) ;
@@ -203,9 +205,55 @@ function slaac_eui64( mac, ary, glbit, eui64 ) {
eui64 = 0 ;
}
-
return eui64 ;
}
##############################################################################
+function normalize_ipv6(ip, parts, normalized) {
+ # Remove any prefix length
+ sub(/\/.*/, "", ip);
+
+ # Handle compressed notation (::)
+ if (index(ip, "::") > 0) {
+ split(ip, parts, "::");
+ # Count colons to determine how many zero groups to insert
+ gsub(/:/, ":", parts[1]);
+ if (parts[2] != "") gsub(/:/, ":", parts[2]);
+ missing = 8 - (split(parts[1], tmp1, ":") + split(parts[2], tmp2, ":"));
+
+ # Build normalized address
+ normalized = parts[1];
+ for (i = 0; i < missing; i++) normalized = normalized ":0";
+ if (parts[2] != "") normalized = normalized ":" parts[2];
+ } else {
+ normalized = ip;
+ }
+
+ # Fill each group with leading zeros
+ split(normalized, parts, ":");
+ normalized = "";
+ for (i = 1; i <= length(parts); i++) {
+ if (parts[i] == "") parts[i] = "0";
+ while (length(parts[i]) < 4) {
+ parts[i] = "0" parts[i];
+ }
+ if (i > 1) normalized = normalized ":";
+ normalized = normalized parts[i];
+ }
+
+ return normalized;
+}
+
+function ipv6_in_range(ip) {
+ # Normalize the address first
+ ip = normalize_ipv6(ip);
+
+ # Check if it's in 2000::/3 range
+ # This covers 2000:: to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+ first_group = substr(ip, 1, 4);
+ first_digit = substr(first_group, 1, 1);
+
+ return (first_digit == "2" || first_digit == "3");
+}
+
diff --git a/net/unbound/files/odhcpd.sh b/net/unbound/files/odhcpd.sh
index 9a428563b6..bcdd0722d7 100644
--- a/net/unbound/files/odhcpd.sh
+++ b/net/unbound/files/odhcpd.sh
@@ -38,7 +38,12 @@ odhcpd_zonedata() {
local dhcp4_slaac6=$( uci_get unbound.@unbound[0].dhcp4_slaac6 )
local dhcp_domain=$( uci_get unbound.@unbound[0].domain )
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
+ local exclude_ipv6_ga=$( uci_get unbound.@unbound[0].exclude_ipv6_ga )
+ if [ "$exclude_ipv6_ga" != "0" ] && [ "$exclude_ipv6_ga" != "1" ]; then
+ logger -t unbound -s "invalid exclude_ipv6_ga value, using default (0)"
+ exclude_ipv6_ga=0
+ fi
if [ -f "$UB_TOTAL_CONF" ] && [ -f "$dhcp_origin" ] \
&& [ "$dhcp_link" = "odhcpd" ] && [ -n "$dhcp_domain" ] ; then
@@ -49,7 +54,6 @@ odhcpd_zonedata() {
local dns_ls_old=$UB_VARDIR/dhcp_dns.old
local dhcp_ls_new=$UB_VARDIR/dhcp_lease.new
-
if [ ! -f $UB_DHCP_CONF ] || [ ! -f $dns_ls_old ] ; then
# no old files laying around
touch $dns_ls_old
@@ -61,7 +65,6 @@ odhcpd_zonedata() {
dateconf=$(( $( date +%s ) - $( date -r $UB_DHCP_CONF +%s ) ))
dateoldf=$(( $( date +%s ) - $( date -r $dns_ls_old +%s ) ))
-
if [ $dateconf -gt 300 ] ; then
touch $dns_ls_old
sort $dhcp_origin > $dhcp_ls_new
@@ -82,7 +85,7 @@ odhcpd_zonedata() {
freshstart)
awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
-v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
- -v bisolt=0 -v bconf=1 \
+ -v bisolt=0 -v bconf=1 -v exclude_ipv6_ga=$exclude_ipv6_ga \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
cp $dns_ls_new $dns_ls_add
@@ -94,7 +97,7 @@ odhcpd_zonedata() {
longtime)
awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
-v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
- -v bisolt=0 -v bconf=1 \
+ -v bisolt=0 -v bconf=1 -v exclude_ipv6_ga=$exclude_ipv6_ga \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
awk '{ print $1 }' $dns_ls_old | sort | uniq > $dns_ls_del
@@ -110,7 +113,7 @@ odhcpd_zonedata() {
# unbound-control can be slow so high DHCP rates cannot run a full list
awk -v conffile=$UB_DHCP_CONF -v pipefile=$dns_ls_new \
-v domain=$dhcp_domain -v bslaac=$dhcp4_slaac6 \
- -v bisolt=0 -v bconf=0 \
+ -v bisolt=0 -v bconf=0 -v exclude_ipv6_ga=$exclude_ipv6_ga \
-f /usr/lib/unbound/odhcpd.awk $dhcp_ls_new
sort $dns_ls_new $dns_ls_old $dns_ls_old | uniq -u > $dns_ls_add
@@ -136,3 +139,4 @@ if flock -x -n 1000 ; then
fi
##############################################################################
+
diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci
index d921e3cd0e..7a1eaf9114 100644
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@@ -4,6 +4,7 @@ config unbound 'ub_main'
option add_wan_fqdn '0'
option dhcp_link 'none'
option dhcp4_slaac6 '0'
+ option exclude_ipv6_ga '0'
option dns64 '0'
option dns64_prefix '64:ff9b::/96'
option domain 'lan'