#
##############################################################################
-UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
+UNBOUND_B_EXT_STATS=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0
+UNBOUND_D_CONTROL=0
UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_EXTRA_DNS=0
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/hotplug.time
+UNBOUND_CTLKEY_FILE=$UNBOUND_VARDIR/unbound_control.key
+UNBOUND_CTLPEM_FILE=$UNBOUND_VARDIR/unbound_control.pem
+UNBOUND_SRVKEY_FILE=$UNBOUND_VARDIR/unbound_server.key
+UNBOUND_SRVPEM_FILE=$UNBOUND_VARDIR/unbound_server.pem
+
##############################################################################
UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
# Ensure access and prepare to jail
chown -R unbound:unbound $UNBOUND_VARDIR
- chmod 775 $UNBOUND_VARDIR
- chmod 664 $UNBOUND_VARDIR/*
+ chmod 755 $UNBOUND_VARDIR
+ chmod 644 $UNBOUND_VARDIR/*
+
+
+ if [ -f $UNBOUND_CTLKEY_FILE -o -f $UNBOUND_CTLPEM_FILE \
+ -o -f $UNBOUND_SRVKEY_FILE -o -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Keys (some) exist already; do not create new ones
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ elif [ -x /usr/sbin/unbound-control-setup ] ; then
+ case "$UNBOUND_D_CONTROL" in
+ [2-3])
+ # unbound-control-setup for encrypt opt. 2 and 3, but not 4 "static"
+ /usr/sbin/unbound-control-setup -d $UNBOUND_VARDIR
+
+ chown -R unbound:unbound $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ chmod 640 $UNBOUND_CTLKEY_FILE $UNBOUND_CTLPEM_FILE \
+ $UNBOUND_SRVKEY_FILE $UNBOUND_SRVPEM_FILE
+
+ cp -p $UNBOUND_CTLKEY_FILE /etc/unbound/unbound_control.key
+ cp -p $UNBOUND_CTLPEM_FILE /etc/unbound/unbound_control.pem
+ cp -p $UNBOUND_SRVKEY_FILE /etc/unbound/unbound_server.key
+ cp -p $UNBOUND_SRVPEM_FILE /etc/unbound/unbound_server.pem
+ ;;
+ esac
+ fi
}
##############################################################################
unbound_control() {
- if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
+ if [ "$UNBOUND_D_CONTROL" -gt 1 ] ; then
+ if [ ! -f $UNBOUND_CTLKEY_FILE -o ! -f $UNBOUND_CTLPEM_FILE \
+ -o ! -f $UNBOUND_SRVKEY_FILE -o ! -f $UNBOUND_SRVPEM_FILE ] ; then
+ # Key files need to be present; if unbound-control-setup was found, then
+ # they might have been made during unbound_makedir() above.
+ UNBOUND_D_CONTROL=0
+ fi
+ fi
+
+
+ case "$UNBOUND_D_CONTROL" in
+ 1)
{
- # Enable remote control tool, but only at local host for security
- # You can hand write fancier encrypted access with /etc/..._ext.conf
+ # Local Host Only Unencrypted Remote Control
echo "remote-control:"
echo " control-enable: yes"
echo " control-use-cert: no"
echo " control-interface: ::1"
echo
} >> $UNBOUND_CONFFILE
- fi
+ ;;
+
+ 2)
+ {
+ # Local Host Only Encrypted Remote Control
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 127.0.0.1"
+ echo " control-interface: ::1"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+
+ [3-4])
+ {
+ # Network Encrypted Remote Control
+ # (3) may auto setup and (4) must have static key/pem files
+ # TODO: add UCI list for interfaces to bind
+ echo "remote-control:"
+ echo " control-enable: yes"
+ echo " control-use-cert: yes"
+ echo " control-interface: 0.0.0.0"
+ echo " control-interface: ::0"
+ echo " server-key-file: \"$UNBOUND_SRVKEY_FILE\""
+ echo " server-cert-file: \"$UNBOUND_SRVPEM_FILE\""
+ echo " control-key-file: \"$UNBOUND_CTLKEY_FILE\""
+ echo " control-cert-file: \"$UNBOUND_CTLPEM_FILE\""
+ echo
+ } >> $UNBOUND_CONFFILE
+ ;;
+ esac
{
local cfg="$1"
local rt_mem rt_conn modulestring
+ # Make fresh conf file
+ echo > $UNBOUND_CONFFILE
+
{
# Make fresh conf file
echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
echo
- } > $UNBOUND_CONFFILE
-
-
- {
# No threading
echo "server:"
echo " username: unbound"
echo " infra-cache-slabs: 1"
echo " key-cache-slabs: 1"
echo
- } >> $UNBOUND_CONFFILE
-
-
- {
+ # Interface Wildcard (access contol handled by "option local_service")
+ echo " interface: 0.0.0.0"
+ echo " interface: ::0"
+ echo " outgoing-interface: 0.0.0.0"
+ echo " outgoing-interface: ::0"
+ echo
# Logging
echo " verbosity: 1"
echo " statistics-interval: 0"
echo " statistics-cumulative: no"
- echo " extended-statistics: no"
- echo
} >> $UNBOUND_CONFFILE
- {
- # Interfaces (access contol "option local_service")
- echo " interface: 0.0.0.0"
- echo " interface: ::0"
- echo " outgoing-interface: 0.0.0.0"
- echo " outgoing-interface: ::0"
- echo
- } >> $UNBOUND_CONFFILE
+ if [ "$UNBOUND_B_EXT_STATS" -gt 0 ] ; then
+ {
+ # Log More
+ echo " extended-statistics: yes"
+ echo
+ } >> $UNBOUND_CONFFILE
+
+ else
+ {
+ # Log Less
+ echo " extended-statistics: no"
+ echo
+ } >> $UNBOUND_CONFFILE
+ fi
case "$UNBOUND_D_PROTOCOL" in
config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
config_get_bool UNBOUND_B_DNS64 "$cfg" dns64 0
+ config_get_bool UNBOUND_B_EXT_STATS "$cfg" extended_stats 0
config_get_bool UNBOUND_B_HIDE_BIND "$cfg" hide_binddata 1
config_get_bool UNBOUND_B_LOCL_SERV "$cfg" localservice 1
config_get_bool UNBOUND_B_MAN_CONF "$cfg" manual_conf 0
config_get_bool UNBOUND_B_QRY_MINST "$cfg" query_min_strict 0
config_get_bool UNBOUND_B_PRIV_BLCK "$cfg" rebind_protection 1
config_get_bool UNBOUND_B_LOCL_BLCK "$cfg" rebind_localhost 0
- config_get_bool UNBOUND_B_CONTROL "$cfg" unbound_control 0
config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53
config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
+ config_get UNBOUND_D_CONTROL "$cfg" unbound_control 0
config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none
config_get UNBOUND_D_EXTRA_DNS "$cfg" add_extra_dns 0