unbound: add UCI for forward stub and auth zone clauses

With growing interest, DNS over TLS can be setup in Unbounds foward-zone: clause. A broader UCI solution is added to support forward-, stub-, and auth- zone clauses in a new 'zone' section. This implentation required reworking scripts, because they did not scale. 'forward_domain' and 'prefetch_root' options are removed, and superceded by 'zone' section. Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2026-04-30 15:38:40 +01:00 · 2018-06-28 20:41:37 -04:00
parent 7bbec3b06b
commit 408047628e
12 changed files with 1380 additions and 1095 deletions
@@ -0,0 +1,127 @@
+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# This component will copy root.key back to /etc/unbound/ periodically, but
+# avoid ROM flash abuse (UCI option).
+#
+##############################################################################
+
+. /usr/lib/unbound/defaults.sh
+
+##############################################################################
+
+roothints_update() {
+  # TODO: Might not be implemented. Unbound doesn't natively update hints.
+  # Unbound philosophy is built in root hints are good for machine life.
+  return 0
+}
+
+##############################################################################
+
+rootkey_update() {
+  local basekey_date rootkey_date rootkey_age filestuff
+  local dnssec=$( uci_get unbound.@unbound[0].validator )
+  local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
+  local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
+
+  # fix empty
+  [ -z "$dnssec"     ] && dnssec=0
+  [ -z "$dnssec_ntp" ] && dnssec_ntp=1
+  [ -z "$dnssec_age" ] && dnssec_age=9
+
+
+  if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
+    # Feature disabled
+    return 0
+
+  elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UB_TIME_FILE" ] ; then
+    # We don't have time yet
+    return 0
+  fi
+
+
+  if [ -f /etc/unbound/root.key ] ; then
+    basekey_date=$( date -r /etc/unbound/root.key +%s )
+
+  else
+    # No persistent storage key
+    basekey_date=$( date -d 2000-01-01 +%s )
+  fi
+
+
+  if [ -f "$UB_RKEY_FILE" ] ; then
+    # Unbound maintains it itself
+    rootkey_date=$( date -r $UB_RKEY_FILE +%s )
+    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
+
+  elif [ -x "$UB_ANCHOR" ] ; then
+    # No tmpfs key - use unbound-anchor
+    rootkey_date=$( date -I +%s )
+    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
+    $UB_ANCHOR -a $UB_RKEY_FILE
+
+  else
+    # give up
+    rootkey_age=0
+  fi
+
+
+  if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
+    filestuff=$( cat $UB_RKEY_FILE )
+
+
+    case "$filestuff" in
+      *NOERROR*)
+        # Header comment for drill and dig
+        logger -t unbound -s "root.key updated after $rootkey_age days"
+        cp -p $UB_RKEY_FILE /etc/unbound/root.key
+        ;;
+
+      *"state=2 [  VALID  ]"*)
+        # Comment inline to key for unbound-anchor
+        logger -t unbound -s "root.key updated after $rootkey_age days"
+        cp -p $UB_RKEY_FILE /etc/unbound/root.key
+        ;;
+
+      *)
+        logger -t unbound -s "root.key still $rootkey_age days old"
+        ;;
+    esac
+  fi
+}
+
+##############################################################################
+
+resolv_teardown() {
+  case $( cat /tmp/resolv.conf ) in
+    *"generated by Unbound UCI"*)
+      # our resolver file, reset to auto resolver file.
+      rm -f /tmp/resolv.conf
+      ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
+      ;;
+  esac
+}
+
+##############################################################################
+
+unbound_stop() {
+  resolv_teardown
+  roothints_update
+  rootkey_update
+}
+
+##############################################################################
+