unbound: add domain resolution control options

- Add domain_forward to permit designated domains to forward instead of recurse as listed in resolve.conf.auto from DHCP WAN client - Update rebind_protection and add rebind_interface to protect IP6 GLA locally just like RFC 1918 protection - Rename trigger to trigger_interface with backwards compatability - Update odhcpd script for efficiency handling many clients Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2026-04-30 07:28:39 +01:00 · 2018-02-13 00:01:58 -05:00
parent 0776f28b37
commit 8b616efb10
9 changed files with 226 additions and 113 deletions
@@ -14,23 +14,11 @@
 #
 ##############################################################################
 #
-# This component needs to be used within the unbound.sh as an include. It uses
-# defaults and UCI scope variables defined there. It will copy root.key back
-# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
+# This component will copy root.key back to /etc/unbound/ periodically, but
+# avoid ROM flash abuse (UCI option).
 #
 ##############################################################################

-rootzone_uci() {
-  local cfg=$1
-
-  # This will likely be called outside of "start_service()" context
-  config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
-  config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
-  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
-}
-
-##############################################################################
-
 roothints_update() {
  # TODO: Might not be implemented. Unbound doesn't natively update hints.
  # Unbound philosophy is built in root hints are good for machine life.
@@ -42,12 +30,16 @@ roothints_update() {
 rootkey_update() {
  local basekey_date rootkey_date rootkey_age filestuff

+  local dnssec=$( uci_get unbound.@unbound[0].validator )
+  local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
+  local dnssec_age=$( uci_get unbound.@unbound[0].root_age )

-  if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
+
+  if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
    # Feature disabled
    return 0

-  elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
+  elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
    # We don't have time yet
    return 0
  fi
@@ -79,7 +71,7 @@ rootkey_update() {
  fi


-  if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
+  if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
    filestuff=$( cat $UNBOUND_KEYFILE )


@@ -106,11 +98,6 @@ rootkey_update() {
 ##############################################################################

 rootzone_update() {
-  # Partial UCI fetch for this functional group
-  config_load unbound
-  config_foreach rootzone_uci unbound
-
-  # You need root.hints and root.key to boot strap recursion
  roothints_update
  rootkey_update
 }