unbound: add UCI for forward stub and auth zone clauses

With growing interest, DNS over TLS can be setup in Unbounds foward-zone: clause. A broader UCI solution is added to support forward-, stub-, and auth- zone clauses in a new 'zone' section. This implentation required reworking scripts, because they did not scale. 'forward_domain' and 'prefetch_root' options are removed, and superceded by 'zone' section. Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2026-04-30 07:28:39 +01:00 · 2018-06-28 20:41:37 -04:00
parent 7bbec3b06b
commit 408047628e
12 changed files with 1380 additions and 1095 deletions
@@ -14,30 +14,52 @@
 #
 ##############################################################################

-UNBOUND_LIBDIR=/usr/lib/unbound
-UNBOUND_VARDIR=/var/lib/unbound
+# where are we?
+UB_LIBDIR=/usr/lib/unbound
+UB_VARDIR=/var/lib/unbound
+UB_PIDFILE=/var/run/unbound.pid

-UNBOUND_PIDFILE=/var/run/unbound.pid
+# conf deconstructed
+UB_TOTAL_CONF=$UB_VARDIR/unbound.conf
+UB_CORE_CONF=$UB_VARDIR/server.conf.tmp
+UB_HOST_CONF=$UB_VARDIR/host.conf.tmp
+UB_DHCP_CONF=$UB_VARDIR/dhcp.conf
+UB_ZONE_CONF=$UB_VARDIR/zone.conf.tmp
+UB_CTRL_CONF=$UB_VARDIR/ctrl.conf.tmp
+UB_SRVMASQ_CONF=$UB_VARDIR/dnsmasq_srv.conf.tmp
+UB_EXTMASQ_CONF=$UB_VARDIR/dnsmasq_ext.conf.tmp
+UB_SRV_CONF=$UB_VARDIR/unbound_srv.conf
+UB_EXT_CONF=$UB_VARDIR/unbound_ext.conf

-UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
-UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
-UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
-UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
+# TLS keys
+UB_TLS_KEY_FILE="TLS server UCI not implemented"
+UB_TLS_PEM_FILE="TLS server UCI not implemented"
+UB_TLS_FWD_FILE=$UB_VARDIR/ca-certificates.crt
+UB_TLS_ETC_FILE=/etc/ssl/certs/ca-certificates.crt

-UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
-UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
-UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
+# start files
+UB_RKEY_FILE=$UB_VARDIR/root.key
+UB_RHINT_FILE=$UB_VARDIR/root.hints
+UB_TIME_FILE=$UB_VARDIR/hotplug.time

-UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
-UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
-UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
-UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
-
-##############################################################################
-
-UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
-UNBOUND_CONTROL=/usr/sbin/unbound-control
-UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"
+# control app keys
+UB_CTLKEY_FILE=$UB_VARDIR/unbound_control.key
+UB_CTLPEM_FILE=$UB_VARDIR/unbound_control.pem
+UB_SRVKEY_FILE=$UB_VARDIR/unbound_server.key
+UB_SRVPEM_FILE=$UB_VARDIR/unbound_server.pem
+
+# similar default SOA / NS RR as Unbound uses for private ARPA zones
+UB_XSER=$(( $( date +%s ) / 60 ))
+UB_XSOA="7200 IN SOA localhost. nobody.invalid. $UB_XSER 3600 1200 9600 600"
+UB_XNS="7200 IN NS localhost."
+UB_XTXT="7200 IN TXT \"comment=local intranet dns zone\""
+UB_MTXT="7200 IN TXT \"comment=masked internet dns zone\""
+UB_LTXT="7200 IN TXT \"comment=rfc6762 multicast dns zone\""
+
+# helper apps
+UB_ANCHOR=/usr/sbin/unbound-anchor
+UB_CONTROL=/usr/sbin/unbound-control
+UB_CONTROL_CFG="$UB_CONTROL -c $UB_TOTAL_CONF"

 ##############################################################################