unbound: add root zone file cache option

Add the possibility to use Unbound auto-zone: clause to fetch complete root, arpa, in-addr.arpa, and ip6.arpa zone files. This can speed up recursion when users access many ccTLD or connection logging hits many PTR. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2026-04-30 15:38:40 +01:00 · 2018-05-28 22:46:07 -04:00
parent cdeefec73e
commit 36e1aa0892
4 changed files with 53 additions and 9 deletions
@@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0
+UNBOUND_B_AUTH_ROOT=0

 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
@@ -605,6 +606,45 @@ unbound_forward() {

 ##############################################################################

+unbound_auth_root() {
+  local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+  local httpserver="http://www.internic.net/domain/"
+  local authzones="root arpa in-addr.arpa ip6.arpa"
+  local server zone realzone
+  # Download or AXFR the root and arpa zones to reduce the work needed at
+  # top level of recursion. If your users will hit many ccTLD or you have
+  # tracking logs resolving many PTR, then this can speed things up.
+  # Total size of text in TMPFS could be about 5MB.
+
+
+  if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
+    for zone in $authzones ; do
+      if [ "$zone" = "root" ] ; then
+        realzone="."
+      else
+        realzone=$zone
+      fi
+
+
+      {
+        echo "auth-zone:"
+        echo "  name: \"$realzone\""
+        for server in $axfrservers ; do
+          echo "  master: \"$server\""
+        done
+        echo "  url: \"$httpserver$zone.zone\""
+        echo "  fallback-enabled: yes"
+        echo "  for-downstream: no"
+        echo "  for-upstream: yes"
+        echo "  zonefile: \"$zone.zone\""
+        echo
+      } >> $UNBOUND_CONFFILE
+    done
+  fi
+}
+
+##############################################################################
+
 unbound_conf() {
  local rt_mem rt_conn modulestring domain ifsubnet

@@ -1086,6 +1126,7 @@ unbound_uci() {
  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
  config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
+  config_get_bool UNBOUND_B_AUTH_ROOT  "$cfg" prefetch_root 0
  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
@@ -1181,7 +1222,7 @@ unbound_uci() {

 ##############################################################################

-_resolv_setup() {
+unbound_resolv_setup() {
  if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
    return
  fi
@@ -1210,7 +1251,7 @@ _resolv_setup() {

 ##############################################################################

-_resolv_teardown() {
+unbound_resolv_teardown() {
  case $( cat /tmp/resolv.conf ) in
  *"generated by Unbound UCI"*)
    # our resolver file, reset to auto resolver file.
@@ -1225,8 +1266,6 @@ _resolv_teardown() {
 unbound_start() {
  config_load unbound
  config_foreach unbound_uci unbound
-
-
  unbound_mkdir


@@ -1245,19 +1284,18 @@ unbound_start() {


    unbound_forward
+    unbound_auth_root
    unbound_control
  fi


-  _resolv_setup
+  unbound_resolv_setup
 }

 ##############################################################################

 unbound_stop() {
-  _resolv_teardown
-
-
+  unbound_resolv_teardown
  rootzone_update
 }