X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Finitscripts%2Fsystem%2Funbound;h=af9bcef73ce09e24944b88dd5e206d3294a0eb87;hb=1ececb67a1f83dd931e31d66893893ce542d0814;hp=a46999992a2b99b91cfe3d7b8b2466614dda3d24;hpb=1a7cfc2f10f0dc143680daaf5da244ef5e186c27;p=ipfire-2.x.git

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index a46999992a..af9bcef73c 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -197,8 +197,8 @@ write_forward_conf() {
 
 		local insecure_zones="${INSECURE_ZONES}"
 
-		local enabled zone server remark
-		while IFS="," read -r enabled zone server remark; do
+		local enabled zone server servers remark disable_dnssec rest
+		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
 			# Line must be enabled.
 			[ "${enabled}" = "on" ] || continue
 
@@ -208,23 +208,40 @@ write_forward_conf() {
 				*.local)
 					insecure_zones="${insecure_zones} ${zone}"
 					;;
+				*)
+					if [ "${disable_dnssec}" = "on" ]; then
+						insecure_zones="${insecure_zones} ${zone}"
+					fi
+					;;
 			esac
 
 			# Reverse-lookup zones must be stubs
 			case "${zone}" in
 				*.in-addr.arpa)
 					echo "stub-zone:"
-					echo "	name: ${zone}."
-					echo "	stub-addr: ${server}"
+					echo "	name: ${zone}"
+					for server in ${servers//|/ }; do
+						if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+							echo "	stub-addr: ${server}"
+						else
+							echo "	stub-host: ${server}"
+						fi
+					done
 					echo
 					echo "server:"
-					echo "	local-zone: \"${zone}.\" transparent"
+					echo "	local-zone: \"${zone}\" transparent"
 					echo
 					;;
 				*)
 					echo "forward-zone:"
-					echo "	name: ${zone}."
-					echo "	forward-addr: ${server}"
+					echo "	name: ${zone}"
+					for server in ${servers//|/ }; do
+						if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+							echo "	forward-addr: ${server}"
+						else
+							echo "	forward-host: ${server}"
+						fi
+					done
 					echo
 					;;
 			esac
@@ -378,7 +395,12 @@ ns_is_validating() {
 	local ns=${1}
 	shift
 
-	dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+	if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+		return 1
+	else
+		# Determine if NS replies with "ad" data flag if DNSSEC enabled
+		dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+	fi
 }
 
 # Checks if we can retrieve the DNSKEY for this domain.
@@ -474,7 +496,7 @@ fix_time_if_dns_fail() {
 	if [ -e /var/ipfire/red/active ]; then
 		host 0.ipfire.pool.ntp.org > /dev/null 2>&1
 		if [ "${?}" != "0" ]; then
-			boot_mesg "DNS still not work ... init time with ntp.ipfire.org at 81.3.27.46 ..."
+			boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
 			loadproc /usr/local/bin/settime 81.3.27.46
 		fi
 	fi
@@ -490,11 +512,6 @@ case "$1" in
 
 		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-		# Create control keys at first run
-		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
-			unbound-control-setup -d /etc/unbound &>/dev/null
-		fi
-
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf