On 2018/10/05 12:54, Björn Ketelaars wrote:
> Daemon per default listens on 127.0.0.1:53, and switches to a different
> system user after listening sockets have been created.
Oh finally! Dropping privs is what was blocking the update before.
> Adding a note to current.html is probably a good thing as the
> configuration has changed significantly.
Agreed.
> I'm not sure if it is wise to update this port at this point in time.
> Maybe after the freeze? Other opinions?
Sooner the better IMO. It doesn't affect any other ports and the old version
is fairly long-dead now so if it works I would prefer to get it in.
> +FILES = example-blacklist.txt \
> + example-cloaking-rules.txt \
> + example-dnscrypt-proxy.toml \
> + example-forwarding-rules.txt \
> + example-whitelist.txt
In my earlier port of this I used "${INSTALL_DATA}
${WRKSRC}/dnscrypt-proxy/example* ..." to avoid missing any that might
get added later, though I am ok either way for that.
> + ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
> + ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
> +
> +-listen_addresses = ['127.0.0.1:53', '[::1]:53']
> ++listen_addresses = ['127.0.0.1:53']
Why disable v6 here? inet6 is available on localhost by default and
other DNS-related daemons usually listen on both.
> +DNSCrypt-proxy provides a local service which can be used directly as your
> +local resolver or as a DNS forwarder, encrypting requests using the DNSCrypt
> +protocol and passing them to an upstream server.
> +
> +The DNSCrypt protocol is very similar to DNSCurve, but focuses on securing
> +communications between a client and its first-level resolver.
> +
> +While not providing end-to-end security, it protects the local network,
> +which is often the weakest point of the chain, against man-in-the-middle
> +attacks. It also provides some confidentiality to DNS queries.
This is a bit outdated as 2.x supports DoH as well (and it might be nice
to mention other features), but that can be done later.
> --- /dev/null
> +++ pkg/PLIST
> @@ -0,0 +1,19 @@
> +@comment $OpenBSD: PLIST,v$
> +@conflict dnscrypt-proxy-plugins-*
> +@pkgpath net/dnscrypt-proxy
Please drop the above @pkgpath.
Rest looks good to me.
No comments:
Post a Comment