From 372576e0ab699a188e9248d73afcc00a5a635d2b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 Jan 2020 11:12:33 +0000
Subject: [PATCH] unbound: Set EDNS buffer size to 1232 bytes

Fixes: #12240
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/unbound/unbound.conf    |  3 ++
 src/initscripts/system/unbound | 50 +---------------------------------
 2 files changed, 4 insertions(+), 49 deletions(-)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 4d492a5bc1..9fca7ef225 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -62,6 +62,9 @@ server:
 	use-caps-for-id: yes
 	aggressive-nsec: yes
 
+	# EDNS Buffer Size (#12240)
+	edns-buffer-size: 1232
+
 	# Harden against DNS cache poisoning
 	unwanted-reply-threshold: 1000000
 
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 61d62beb15..1c9f4288ca 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -20,9 +20,6 @@ FORCE_TCP=off
 # Cache any local zones for 60 seconds
 LOCAL_TTL=60
 
-# EDNS buffer size
-EDNS_DEFAULT_BUFFER_SIZE=4096
-
 # Load optional configuration
 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
 
@@ -90,25 +87,6 @@ update_forwarders() {
 			esac
 		done
 
-		# Determine EDNS buffer size
-		local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
-
-		for ns in ${forwarders}; do
-			local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
-			if [ -n "${edns_buffer_size}" ]; then
-				if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
-					new_edns_buffer_size=${edns_buffer_size}
-				fi
-			fi
-		done
-
-		if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
-			boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
-			echo_warning
-
-			unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
-		fi
-
 		# Show warning for any broken upstream name servers
 		if [ -n "${broken_forwarders}" ]; then
 			boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
@@ -129,7 +107,7 @@ update_forwarders() {
 		# In case we have found no working forwarders
 		else
 			# Test if the recursor mode is available
-			if can_resolve_root +bufsize=${new_edns_buffer_size}; then
+			if can_resolve_root; then
 				# Make sure DNSSEC is activated
 				enable_dnssec
 
@@ -374,12 +352,6 @@ test_name_server() {
 	# Exit when the server is not reachable
 	ns_is_online ${ns} || return 1
 
-	# Determine the maximum edns buffer size that works
-	local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
-	if [ -n "${edns_buffer_size}" ]; then
-		args="${args} +bufsize=${edns_buffer_size}"
-	fi
-
 	local errors
 	for rr in DNSKEY DS RRSIG; do
 		if ! ns_forwards_${rr} ${ns} ${args}; then
@@ -457,21 +429,6 @@ ns_supports_tcp() {
 	dig "${DIG_ARGS[@]}" @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
 }
 
-ns_determine_edns_buffer_size() {
-	local ns=${1}
-	shift
-
-	local b
-	for b in 4096 2048 1500 1480 1464 1400 1280 512; do
-		if dig "${DIG_ARGS[@]}" @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
-			echo "${b}"
-			return 0
-		fi
-	done
-
-	return 1
-}
-
 get_root_nameservers() {
 	while read -r hostname ttl record address; do
 		# Searching for A records
@@ -905,11 +862,6 @@ case "$1" in
 			echo "${ns} does not support TCP fallback"
 		fi
 
-		edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
-		if [ -n "${edns_buffer_size}" ]; then
-			echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
-		fi
-
 		exit ${ret}
 		;;
 
-- 
2.39.5