unbound: provide transparent defaults with documentation

Some resource options bundled many Unbound.conf options and
made customizing on top of UCI difficult. Make it easier to
use Unbound built defaults (blank conf sections).

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>

net/unbound/files/unbound.sh

@@ -449,7 +449,7 @@ unbound_mkdir() {
       cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
     fi
   fi
 
@@ -463,7 +463,7 @@ unbound_mkdir() {
       $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
 
     elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
     fi
   fi
 
@@ -616,9 +616,13 @@ unbound_conf() {
     # Make fresh conf file
     echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
     echo
-    # No threading
     echo "server:"
     echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
     echo "  num-threads: 1"
     echo "  msg-cache-slabs: 1"
     echo "  rrset-cache-slabs: 1"
@@ -632,6 +636,7 @@ unbound_conf() {
     echo "  outgoing-interface: ::0"
     echo
     # Logging
+    echo "  use-syslog: yes"
     echo "  verbosity: 1"
     echo "  statistics-interval: 0"
     echo "  statistics-cumulative: no"
@@ -677,12 +682,18 @@ unbound_conf() {
       } >> $UNBOUND_CONFFILE
       ;;
 
-    *)
+    mixed)
       {
         echo "  do-ip4: yes"
         echo "  do-ip6: yes"
       } >> $UNBOUND_CONFFILE
       ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
   esac
 
 
@@ -708,15 +719,6 @@ unbound_conf() {
   } >> $UNBOUND_CONFFILE
 
 
-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
   if [ -f "$UNBOUND_HINTFILE" ] ; then
     # Optional hints if found
     echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +766,7 @@ unbound_conf() {
     } >> $UNBOUND_CONFFILE
 
   elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
   fi
 
   # Assembly of module-config: options is tricky; order matters
@@ -803,27 +805,26 @@ unbound_conf() {
   }  >> $UNBOUND_CONFFILE
 
 
-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
   case "$UNBOUND_D_RECURSION" in
     passive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: no"
+        fi
+        # On demand fetching
         echo "  prefetch: no"
-        echo "  prefetch-key: no"
         echo "  target-fetch-policy: \"0 0 0 0 0\""
         echo
       } >> $UNBOUND_CONFFILE
@@ -831,8 +832,23 @@ unbound_conf() {
 
     aggressive)
       {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
         echo "  prefetch: yes"
-        echo "  prefetch-key: yes"
         echo "  target-fetch-policy: \"3 2 1 0 0\""
         echo
       } >> $UNBOUND_CONFFILE