Openwrt/packages
0
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-02-07 09:19:51 +00:00
Code
packages/net/unbound/files/stopping.sh
Eric Luehrsen 658c27ea97 unbound: clean up interface interpretation in UCI 
DNS flag day 2020, software should reflect the minimum EDNS 1232 bytes.
Added iface_wan and iface_lan to control internal DNS assignemnts and
to control what is local service ACL. Interface wild cards are not
explicitly set so that they can be customized in extended conf.

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
2020-11-04 19:25:08 -05:00

131 lines
3.6 KiB
Bash
Raw Permalink Blame History

#!/bin/sh
##############################################################################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
#
# This component will copy root.key back to /etc/unbound/ periodically, but
# avoid ROM flash abuse (UCI option).
#
##############################################################################
# while useful (sh)ellcheck is pedantic and noisy
# shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
. /usr/lib/unbound/defaults.sh
##############################################################################
roothints_update() {
# TODO: Might not be implemented. Unbound doesn't natively update hints.
# Unbound philosophy is built in root hints are good for machine life.
return 0
}
##############################################################################
rootkey_update() {
local basekey_date rootkey_date rootkey_age filestuff
local dnssec=$( uci_get unbound.@unbound[0].validator )
local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
# fix empty
[ -z "$dnssec" ] && dnssec=0
[ -z "$dnssec_ntp" ] && dnssec_ntp=1
[ -z "$dnssec_age" ] && dnssec_age=9
if [ $dnssec_age -gt 90 ] || [ $dnssec -lt 1 ] ; then
# Feature disabled
return 0
elif [ "$dnssec_ntp" -gt 0 ] && [ ! -f "$UB_TIME_FILE" ] ; then
# We don't have time yet
return 0
fi
if [ -f /etc/unbound/root.key ] ; then
basekey_date=$( date -r /etc/unbound/root.key +%s )
else
# No persistent storage key
basekey_date=$( date -d 2000-01-01 +%s )
fi
if [ -f "$UB_RKEY_FILE" ] ; then
# Unbound maintains it itself
rootkey_date=$( date -r $UB_RKEY_FILE +%s )
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
elif [ -x "$UB_ANCHOR" ] ; then
# No tmpfs key - use unbound-anchor
rootkey_date=$( date -I +%s )
rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
$UB_ANCHOR -a $UB_RKEY_FILE
else
# give up
rootkey_age=0
fi
if [ $rootkey_age -gt $dnssec_age ] ; then
filestuff=$( cat $UB_RKEY_FILE )
case "$filestuff" in
*NOERROR*)
# Header comment for drill and dig
logger -t unbound -s "root.key updated after $rootkey_age days"
cp -p $UB_RKEY_FILE /etc/unbound/root.key
;;
*"state=2 [ VALID ]"*)
# Comment inline to key for unbound-anchor
logger -t unbound -s "root.key updated after $rootkey_age days"
cp -p $UB_RKEY_FILE /etc/unbound/root.key
;;
*)
logger -t unbound -s "root.key still $rootkey_age days old"
;;
esac
fi
}
##############################################################################
resolv_teardown() {
case $( cat $UB_RESOLV_CONF ) in
*"generated by Unbound UCI"*)
# our resolver file, reset to auto resolver file.
rm -f $UB_RESOLV_CONF
ln -s $UB_RESOLV_AUTO $UB_RESOLV_CONF
;;
esac
}
##############################################################################
unbound_stop() {
resolv_teardown
roothints_update
rootkey_update
}
##############################################################################
View Git Blame Copy Permalink