X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Fsystem%2Funbound;h=7437d93b835c6e4c9f76835b95ea7f6cdeecc3ea;hb=094a27c8f9bf39b5b5b6df1a28d976d9f52e776f;hp=880278150aed80fd557d32b3b1b944fbfc79e35c;hpb=5283818233fe07b1efd52a53b8d894960843629e;p=ipfire-2.x.git diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 880278150a..7437d93b83 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -114,17 +114,38 @@ update_forwarders() { echo_warning fi - if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then - boot_mesg "Falling back to recursor mode" ${WARNING} - echo_warning - - elif [ -n "${forwarders}" ]; then + if [ -n "${forwarders}" ]; then boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO} echo_ok + # Make sure DNSSEC is activated + enable_dnssec + echo "${forwarders}" > /var/ipfire/red/dns unbound-control -q forward ${forwarders} return 0 + + # In case we have found no working forwarders + else + # Test if the recursor mode is available + if can_resolve_root +bufsize=${new_edns_buffer_size}; then + # Make sure DNSSEC is activated + enable_dnssec + + boot_mesg "Falling back to recursor mode" ${WARNING} + echo_warning + + # If not, we set DNSSEC in permissive mode and allow using all recursors + elif [ -n "${broken_forwarders}" ]; then + disable_dnssec + + boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE} + echo_failure + + echo "${broken_forwarders}" > /var/ipfire/red/dns + unbound-control -q forward ${broken_forwarders} + return 0 + fi fi fi @@ -223,17 +244,29 @@ write_tuning_conf() { # In the worst case scenario, unbound can use double the # amount of memory allocated to a cache due to malloc overhead + # Even larger systems with more than 8GB of RAM + if [ ${mem} -ge 8192 ]; then + mem=1024 + + # Extra large systems with more than 4GB of RAM + elif [ ${mem} -ge 4096 ]; then + mem=512 + # Large systems with more than 2GB of RAM - if [ ${mem} -ge 2048 ]; then + elif [ ${mem} -ge 2048 ]; then + mem=256 + + # Medium systems with more than 1GB of RAM + elif [ ${mem} -ge 1024 ]; then mem=128 # Small systems with less than 256MB of RAM elif [ ${mem} -le 256 ]; then - mem=8 + mem=16 # Everything else else - mem=32 + mem=64 fi ( @@ -241,6 +274,7 @@ write_tuning_conf() { # We run one thread per processor echo "num-threads: ${processors}" + echo "so-reuseport: yes" # Adjust number of slabs echo "infra-cache-slabs: ${slabs}" @@ -252,6 +286,14 @@ write_tuning_conf() { echo "rrset-cache-size: $(( ${mem} / 2 ))m" echo "msg-cache-size: $(( ${mem} / 4 ))m" echo "key-cache-size: $(( ${mem} / 4 ))m" + + # Increase parallel queries + echo "outgoing-range: 8192" + echo "num-queries-per-thread: 4096" + + # Use larger send/receive buffers + echo "so-sndbuf: 4m" + echo "so-rcvbuf: 4m" ) > /etc/unbound/tuning.conf } @@ -370,6 +412,48 @@ ns_determine_edns_buffer_size() { return 1 } +get_root_nameservers() { + while read -r hostname ttl record address; do + # Searching for A records + [ "${record}" = "A" ] || continue + + echo "${address}" + done < /etc/unbound/root.hints +} + +can_resolve_root() { + local ns + for ns in $(get_root_nameservers); do + if dig @${ns} +dnssec SOA . $@ >/dev/null; then + return 0 + fi + done + + # none of the servers was reachable + return 1 +} + +enable_dnssec() { + local status=$(unbound-control get_option val-permissive-mode) + + # Log DNSSEC status + echo "on" > /var/ipfire/red/dnssec-status + + # Don't do anything if DNSSEC is already activated + [ "${status}" = "no" ] && return 0 + + # Activate DNSSEC and flush cache with any stale and unvalidated data + unbound-control -q set_option val-permissive-mode: no + unbound-control -q flush_zone . +} + +disable_dnssec() { + # Log DNSSEC status + echo "off" > /var/ipfire/red/dnssec-status + + unbound-control -q set_option val-permissive-mode: yes +} + case "$1" in start) # Print a nicer messagen when unbound is already running