#
##############################################################################
-UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
+UNBOUND_B_EXT_STATS=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
+UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
+UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
+UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
+UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
+UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
+
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
##############################################################################
unbound_mkdir() {
- local resolvsym=0
local dhcp_origin=$( uci_get dhcp.@odhcpd[0].leasefile )
local dhcp_dir=$( dirname $dhcp_origin )
local filestuff
- if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
- resolvsym=1
- else
- /etc/init.d/dnsmasq enabled || resolvsym=1
- fi
-
-
- if [ "$resolvsym" -gt 0 ] ; then
- rm -f /tmp/resolv.conf
-
-
- {
- # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
- echo "nameserver 127.0.0.1"
- echo "nameserver ::1"
- echo "search $UNBOUND_TXT_DOMAIN"
- } > /tmp/resolv.conf
- fi
-
-
if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
# make sure odhcpd has a directory to write (not done itself, yet)
mkdir -p "$dhcp_dir"
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
- chmod 775 $UNBOUND_VARDIR
- chmod 664 $UNBOUND_VARDIR/*
+ chmod 755 $UNBOUND_VARDIR
+ chmod 644 $UNBOUND_VARDIR/*
+
+
+ if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
+ -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Keys (some) exist already; do not create new ones
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ elif [ -x /usr/sbin/unbound-control-setup ] ; then
+ case "$UNBOUND_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
+
+ chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
+ cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
+ cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
+ cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
+ ;;
+ esac
+ fi
}
##############################################################################
unbound_control() {
- if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
+ if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
+ if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
+ -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Key files need to be present; if unbound-control-setup was found, then
+ # they might have been made during unbound_makedir() above.
+ UNBOUND_D_CONTROL=0
+ fi
+ fi
+
+
+ case "$UNBOUND_D_CONTROL" in
+ 1)
{
- # Enable remote control tool, but only at local host for security
- # You can hand write fancier encrypted access with /etc/..._ext.conf
+ # Local Host Only Unencrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
echo " control-interface: ::1"
echo
} >> $UNBOUND_CONFFILE
- fi
+ ;;
+
+ 2)
+ {
+ # Local Host Only Encrypted Remote Control
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 127.0.0.1"
+ echo " control-interface: ::1"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ [3-4])
+ {
+ # Network Encrypted Remote Control
+ # (3) may auto setup and (4) must have static key/pem files
+ # TODO: add UCI list for interfaces to bind
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 0.0.0.0"
+ echo " control-interface: ::0"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+ esac
{
local cfg="$1"
local rt_mem rt_conn modulestring
+ # Make fresh conf file
+ echo > $UNBOUND_CONFFILE
+
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
- } > $UNBOUND_CONFFILE
-
-
- {
# No threading
echo "server:"
echo " username: unbound"
echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1"
echo
- } >> $UNBOUND_CONFFILE
-
-
- {
+ # Interface Wildcard (access contol handled by "option local_service")
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " outgoing-interface: ::0"
+ echo
# Logging
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
- echo " extended-statistics: no"
- echo
} >> $UNBOUND_CONFFILE
- {
- # Interfaces (access contol "option local_service")
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
- echo
- } >> $UNBOUND_CONFFILE
+ if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
+ {
+ # Log More
+ echo " extended-statistics: yes"
+ echo
+ } >> $UNBOUND_CONFFILE
+
+ else
+ {
+ # Log Less
+ echo " extended-statistics: no"
+ echo
+ } >> $UNBOUND_CONFFILE
+ fi
case "$UNBOUND_D_PROTOCOL" in
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
+ config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
- config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
+ config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0
if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
-o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
- # exceeds range, back to default
+ logger -t unbound -s "edns_size exceeds range, using default"
UNBOUND_N_EDNS_SIZE=1280
fi
- if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
- -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
- # special port or in 5 digits, back to default
+ if [ "$UNBOUND_N_RX_PORT" -ne 53 ] \
+ && [ "$UNBOUND_N_RX_PORT" -lt 1024 -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
+ logger -t unbound -s "privileged port or in 5 digits, using default"
UNBOUND_N_RX_PORT=53
fi
if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
- # that could have had awful side effects
+ logger -t unbound -s "ttl_min could have had awful side effects, using 300"
UNBOUND_TTL_MIN=300
fi
}
##############################################################################
+_resolv_setup() {
+ if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
+ return
+ fi
+
+ if [ -x /etc/init.d/dnsmasq ] && /etc/init.d/dnsmasq enabled \
+ && nslookup localhost 127.0.0.1#53 >/dev/null 2>&1 ; then
+ # unbound is configured for port 53, but dnsmasq is enabled and a resolver
+ # listens on localhost:53, lets assume dnsmasq manages the resolver file.
+ # TODO:
+ # really check if dnsmasq runs a local (main) resolver in stead of using
+ # nslookup that times out when no resolver listens on localhost:53.
+ return
+ fi
+
+ # unbound is designated to listen on 127.0.0.1#53,
+ # set resolver file to local.
+ rm -f /tmp/resolv.conf
+ {
+ echo "# /tmp/resolv.conf generated by Unbound UCI $( date )"
+ echo "nameserver 127.0.0.1"
+ echo "nameserver ::1"
+ echo "search $UNBOUND_TXT_DOMAIN"
+ } > /tmp/resolv.conf
+}
+
+##############################################################################
+
+_resolv_teardown() {
+ case $( cat /tmp/resolv.conf ) in
+ *"generated by Unbound UCI"*)
+ # our resolver file, reset to auto resolver file.
+ rm -f /tmp/resolv.conf
+ ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
+ ;;
+ esac
+}
+
+##############################################################################
+
unbound_start() {
config_load unbound
config_foreach unbound_uci unbound
+
+
unbound_mkdir
unbound_control
fi
+
+
+ _resolv_setup
}
##############################################################################
unbound_stop() {
- local resolvsym=0
+ _resolv_teardown
- rootzone_update
-
- if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
- resolvsym=1
- else
- /etc/init.d/dnsmasq enabled || resolvsym=1
- fi
-
-
- if [ "$resolvsym" -gt 0 ] ; then
- # set resolver file to normal, but don't stomp on dnsmasq
- rm -f /tmp/resolv.conf
- ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
- fi
+ rootzone_update
}
##############################################################################