[ipfire-2.x.git] / src / initscripts / init.d / unbound

#!/bin/sh
# Begin $rc_base/init.d/unbound

# Description : Unbound DNS resolver boot script for IPfire
# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>

. /etc/sysconfig/rc
. ${rc_functions}

TEST_DOMAIN="ipfire.org"

# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"

USE_FORWARDERS=1

# Cache any local zones for 60 seconds
LOCAL_TTL=60

# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound

function cidr() {
    local cidr nbits IFS;
    IFS=. read -r i1 i2 i3 i4 <<< ${1}
    IFS=. read -r m1 m2 m3 m4 <<< ${2}
    cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
    nbits=0
    IFS=.
    for dec in $2 ; do
        case $dec in
            255) let nbits+=8;;
            254) let nbits+=7;;
            252) let nbits+=6;;
            248) let nbits+=5;;
            240) let nbits+=4;;
            224) let nbits+=3;;
            192) let nbits+=2;;
            128) let nbits+=1;;
            0);;
            *) echo "Error: $dec is not recognised"; exit 1
        esac
    done
    echo "${cidr}/${nbits}"
}

ip_address_revptr() {
	local addr=${1}

	local a1 a2 a3 a4
	IFS=. read -r a1 a2 a3 a4 <<< ${addr}

	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
}

read_name_servers() {
	local i
	for i in 1 2; do
		echo "$(</var/ipfire/red/dns${i})"
	done | xargs echo
}

config_header() {
	echo "# This file is automatically generated and any changes"
	echo "# will be overwritten. DO NOT EDIT!"
	echo
}

update_forwarders() {
	if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
		local forwarders
		local broken_forwarders

		local ns
		for ns in $(read_name_servers); do
			test_name_server ${ns} &>/dev/null
			case "$?" in
				# Only use DNSSEC-validating or DNSSEC-aware name servers
				0|2)
					forwarders="${forwarders} ${ns}"
					;;
				*)
					broken_forwarders="${broken_forwarders} ${ns}"
					;;
			esac
		done

		# Show warning for any broken upstream name servers
		if [ -n "${broken_forwarders}" ]; then
			boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
			echo_warning
		fi

		if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
			boot_mesg "Falling back to recursor mode" ${WARNING}
			echo_warning

		elif [ -n "${forwarders}" ]; then
			boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
			echo_ok

			echo "${forwarders}" > /var/ipfire/red/dns
			unbound-control -q forward ${forwarders}
			return 0
		fi
	fi

	# If forwarders cannot be used we run in recursor mode
	echo "local recursor" > /var/ipfire/red/dns
	unbound-control -q forward off
}

own_hostname() {
	local hostname=$(hostname -f)
	# 1.1.1.1 is reserved for unused green, skip this
	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
		unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	fi

	local address
	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
		[ -n "${address}" ] || continue
		[ "${address}" = "1.1.1.1" ] && continue

		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	done
}

update_hosts() {
	local enabled address hostname domainname

	while IFS="," read -r enabled address hostname domainname; do
		[ "${enabled}" = "on" ] || continue

		# Build FQDN
		local fqdn="${hostname}.${domainname}"

		unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"

		# Skip reverse resolution if the address equals the GREEN address
		[ "${address}" = "${GREEN_ADDRESS}" ] && continue

		# Add RDNS
		address=$(ip_address_revptr ${address})
		unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
	done < /var/ipfire/main/hosts
}

write_forward_conf() {
	(
		config_header

		local insecure_zones

		local enabled zone server remark
		while IFS="," read -r enabled zone server remark; do
			# Line must be enabled.
			[ "${enabled}" = "on" ] || continue

			# Zones that end with .local are commonly used for internal
			# zones and therefore not signed
			case "${zone}" in
				*.local)
					insecure_zones="${insecure_zones} ${zone}"
					;;
			esac

			echo "forward-zone:"
			echo "	name: ${zone}"
			echo "	forward-addr: ${server}"
			echo
		done < /var/ipfire/dnsforward/config

		if [ -n "${insecure_zones}" ]; then
			echo "server:"

			for zone in ${insecure_zones}; do
				echo "	domain-insecure: ${zone}"
			done
		fi
	) > /etc/unbound/forward.conf
}

write_tuning_conf() {
	# https://www.unbound.net/documentation/howto_optimise.html

	# Determine number of online processors
	local processors=$(getconf _NPROCESSORS_ONLN)

	# Determine number of slabs
	local slabs=1
	while [ ${slabs} -lt ${processors} ]; do
		slabs=$(( ${slabs} * 2 ))
	done

	# Determine amount of system memory
	local mem=$(get_memory_amount)

	# In the worst case scenario, unbound can use double the
	# amount of memory allocated to a cache due to malloc overhead

	# Large systems with more than 2GB of RAM
	if [ ${mem} -ge 2048 ]; then
		mem=128

	# Small systems with less than 256MB of RAM
	elif [ ${mem} -le 256 ]; then
		mem=8

	# Everything else
	else
		mem=32
	fi

	(
		config_header

		# We run one thread per processor
		echo "num-threads: ${processors}"

		# Adjust number of slabs
		echo "infra-cache-slabs: ${slabs}"
		echo "key-cache-slabs: ${slabs}"
		echo "msg-cache-slabs: ${slabs}"
		echo "rrset-cache-slabs: ${slabs}"

		# Slice up the cache
		echo "rrset-cache-size: $(( ${mem} / 2 ))m"
		echo "msg-cache-size: $(( ${mem} / 4 ))m"
		echo "key-cache-size: $(( ${mem} / 4 ))m"
	) > /etc/unbound/tuning.conf
}

get_memory_amount() {
	local key val unit

	while read -r key val unit; do
		case "${key}" in
			MemTotal:*)
				# Convert to MB
				echo "$(( ${val} / 1024 ))"
				break
				;;
		esac
	done < /proc/meminfo
}

test_name_server() {
	local ns=${1}

	# Return codes:
	# 0	DNSSEC validating
	# 1	Error: unreachable, etc.
	# 2	DNSSEC aware
	# 3	NOT DNSSEC-aware

	# Exit when the server is not reachable
	ns_is_online ${ns} || return 1

	# Return 0 if validating
	ns_is_validating ${ns} && return 0

	local errors
	for rr in DNSKEY DS RRSIG; do
		if ! ns_forwards_${rr} ${ns}; then
			errors="${errors} ${rr}"
		fi
	done

	if [ -n "${errors}" ]; then
		echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
		return 3
	fi

	# Is DNSSEC-aware
	return 2
}

# Sends an A query to the nameserver w/o DNSSEC
ns_is_online() {
	local ns=${1}

	dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
}

# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
ns_is_validating() {
	local ns=${1}

	dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
}

# Checks if we can retrieve the DNSKEY for this domain.
# dig will print the SOA if nothing was found
ns_forwards_DNSKEY() {
	local ns=${1}

	dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
}

ns_forwards_DS() {
	local ns=${1}

	dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
}

ns_forwards_RRSIG() {
	local ns=${1}

	dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
}

ns_supports_tcp() {
	local ns=${1}

	dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
}

case "$1" in
	start)
		# Print a nicer messagen when unbound is already running
		if pidofproc -s unbound; then
			statusproc /usr/sbin/unbound
			exit 0
		fi

		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

		# Create control keys at first run
		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
			unbound-control-setup -d /etc/unbound &>/dev/null
		fi

		# Update configuration files
		write_tuning_conf
		write_forward_conf

		boot_mesg "Starting Unbound DNS Proxy..."
		loadproc /usr/sbin/unbound || exit $?

		# Make own hostname resolveable
		own_hostname

		# Update any known forwarding name servers
		update_forwarders

		# Update hosts
		update_hosts
		;;

	stop)
		boot_mesg "Stopping Unbound DNS Proxy..."
		killproc /usr/sbin/unbound
		;;

	restart)
		$0 stop
		sleep 1
		$0 start
		;;

	status)
		statusproc /usr/sbin/unbound
		;;

	update-forwarders)
		update_forwarders
		;;

	test-name-server)
		ns=${2}

		test_name_server ${ns}
		ret=${?}

		case "${ret}" in
			0)
				echo "${ns} is validating"
				;;
			2)
				echo "${ns} is DNSSEC-aware"
				;;
			3)
				echo "${ns} is NOT DNSSEC-aware"
				;;
			*)
				echo "Test failed for an unknown reason"
				;;
		esac

		if ns_supports_tcp ${ns}; then
			echo "${ns} supports TCP fallback"
		else
			echo "${ns} does not support TCP fallback"
		fi

		exit ${ret}
		;;

	*)
		echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
		exit 1
		;;
esac

# End $rc_base/init.d/unbound
Commit	Line	Data
d0e5f71f ML	1	#!/bin/sh
	2	# Begin $rc_base/init.d/unbound
	3
	4	# Description : Unbound DNS resolver boot script for IPfire
	5	# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
d0e5f71f ML	6
	7	. /etc/sysconfig/rc
	8	. ${rc_functions}
	9
b29c97b1 AF	10	TEST_DOMAIN="ipfire.org"
	11
	12	# This domain will never validate
	13	TEST_DOMAIN_FAIL="dnssec-failed.org"
	14
b8f5eda8	15	USE_FORWARDERS=1
d0e5f71f	16
36792be6 MT	17	# Cache any local zones for 60 seconds
	18	LOCAL_TTL=60
	19
b8f5eda8 MT	20	# Load optional configuration
b8f5eda8 MT	21	[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
d0e5f71f ML	22
	23	function cidr() {
	24	local cidr nbits IFS;
	25	IFS=. read -r i1 i2 i3 i4 <<< ${1}
	26	IFS=. read -r m1 m2 m3 m4 <<< ${2}
	27	cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
	28	nbits=0
	29	IFS=.
	30	for dec in $2 ; do
	31	case $dec in
	32	255) let nbits+=8;;
	33	254) let nbits+=7;;
	34	252) let nbits+=6;;
	35	248) let nbits+=5;;
	36	240) let nbits+=4;;
	37	224) let nbits+=3;;
	38	192) let nbits+=2;;
	39	128) let nbits+=1;;
	40	0);;
	41	*) echo "Error: $dec is not recognised"; exit 1
	42	esac
	43	done
	44	echo "${cidr}/${nbits}"
	45	}
	46
f75c279b AF	47	ip_address_revptr() {
	48	local addr=${1}
	49
	50	local a1 a2 a3 a4
	51	IFS=. read -r a1 a2 a3 a4 <<< ${addr}
	52
	53	echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
	54	}
	55
b8f5eda8 MT	56	read_name_servers() {
	57	local i
	58	for i in 1 2; do
	59	echo "$(</var/ipfire/red/dns${i})"
	60	done \| xargs echo
	61	}
	62
	63	config_header() {
	64	echo "# This file is automatically generated and any changes"
	65	echo "# will be overwritten. DO NOT EDIT!"
	66	echo
	67	}
	68
	69	update_forwarders() {
b29c97b1 AF	70	if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
	71	local forwarders
	72	local broken_forwarders
	73
	74	local ns
	75	for ns in $(read_name_servers); do
	76	test_name_server ${ns} &>/dev/null
	77	case "$?" in
	78	# Only use DNSSEC-validating or DNSSEC-aware name servers
	79	0\|2)
	80	forwarders="${forwarders} ${ns}"
	81	;;
	82	*)
	83	broken_forwarders="${broken_forwarders} ${ns}"
	84	;;
	85	esac
	86	done
	87
	88	# Show warning for any broken upstream name servers
	89	if [ -n "${broken_forwarders}" ]; then
	90	boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
	91	echo_warning
	92	fi
b8f5eda8	93
b29c97b1 AF	94	if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
	95	boot_mesg "Falling back to recursor mode" ${WARNING}
	96	echo_warning
b8f5eda8	97
b29c97b1 AF	98	elif [ -n "${forwarders}" ]; then
	99	boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
	100	echo_ok
b8f5eda8	101
e24d6112	102	echo "${forwarders}" > /var/ipfire/red/dns
b29c97b1 AF	103	unbound-control -q forward ${forwarders}
	104	return 0
	105	fi
b8f5eda8	106	fi
b29c97b1 AF	107
b29c97b1 AF	108	# If forwarders cannot be used we run in recursor mode
e24d6112	109	echo "local recursor" > /var/ipfire/red/dns
b29c97b1	110	unbound-control -q forward off
b8f5eda8 MT	111	}
b8f5eda8 MT	112
f75c279b AF	113	own_hostname() {
f75c279b AF	114	local hostname=$(hostname -f)
0d7ca700	115	# 1.1.1.1 is reserved for unused green, skip this
f75c279b AF	116	if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
	117	unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
	118	fi
	119
	120	local address
	121	for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
	122	[ -n "${address}" ] \|\| continue
	123	[ "${address}" = "1.1.1.1" ] && continue
	124
	125	address=$(ip_address_revptr ${address})
	126	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
	127	done
	128	}
	129
36792be6 MT	130	update_hosts() {
	131	local enabled address hostname domainname
	132
	133	while IFS="," read -r enabled address hostname domainname; do
	134	[ "${enabled}" = "on" ] \|\| continue
	135
	136	# Build FQDN
	137	local fqdn="${hostname}.${domainname}"
	138
	139	unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
f75c279b	140
868d2a1f MT	141	# Skip reverse resolution if the address equals the GREEN address
	142	[ "${address}" = "${GREEN_ADDRESS}" ] && continue
	143
f75c279b AF	144	# Add RDNS
	145	address=$(ip_address_revptr ${address})
	146	unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
36792be6 MT	147	done < /var/ipfire/main/hosts
	148	}
	149
b8f5eda8 MT	150	write_forward_conf() {
	151	(
	152	config_header
	153
a6dcc5bb MT	154	local insecure_zones
a6dcc5bb MT	155
b8f5eda8 MT	156	local enabled zone server remark
	157	while IFS="," read -r enabled zone server remark; do
	158	# Line must be enabled.
	159	[ "${enabled}" = "on" ] \|\| continue
	160
a6dcc5bb MT	161	# Zones that end with .local are commonly used for internal
	162	# zones and therefore not signed
	163	case "${zone}" in
	164	*.local)
	165	insecure_zones="${insecure_zones} ${zone}"
	166	;;
	167	esac
	168
b8f5eda8 MT	169	echo "forward-zone:"
	170	echo " name: ${zone}"
	171	echo " forward-addr: ${server}"
	172	echo
	173	done < /var/ipfire/dnsforward/config
a6dcc5bb MT	174
	175	if [ -n "${insecure_zones}" ]; then
	176	echo "server:"
	177
	178	for zone in ${insecure_zones}; do
	179	echo " domain-insecure: ${zone}"
	180	done
	181	fi
b8f5eda8 MT	182	) > /etc/unbound/forward.conf
	183	}
	184
b658a451 MT	185	write_tuning_conf() {
	186	# https://www.unbound.net/documentation/howto_optimise.html
	187
	188	# Determine number of online processors
	189	local processors=$(getconf _NPROCESSORS_ONLN)
	190
	191	# Determine number of slabs
	192	local slabs=1
	193	while [ ${slabs} -lt ${processors} ]; do
	194	slabs=$(( ${slabs} * 2 ))
	195	done
	196
	197	# Determine amount of system memory
	198	local mem=$(get_memory_amount)
	199
	200	# In the worst case scenario, unbound can use double the
	201	# amount of memory allocated to a cache due to malloc overhead
	202
	203	# Large systems with more than 2GB of RAM
	204	if [ ${mem} -ge 2048 ]; then
	205	mem=128
	206
	207	# Small systems with less than 256MB of RAM
	208	elif [ ${mem} -le 256 ]; then
	209	mem=8
	210
	211	# Everything else
	212	else
	213	mem=32
	214	fi
	215
	216	(
	217	config_header
	218
	219	# We run one thread per processor
	220	echo "num-threads: ${processors}"
	221
	222	# Adjust number of slabs
	223	echo "infra-cache-slabs: ${slabs}"
	224	echo "key-cache-slabs: ${slabs}"
	225	echo "msg-cache-slabs: ${slabs}"
	226	echo "rrset-cache-slabs: ${slabs}"
	227
	228	# Slice up the cache
	229	echo "rrset-cache-size: $(( ${mem} / 2 ))m"
	230	echo "msg-cache-size: $(( ${mem} / 4 ))m"
	231	echo "key-cache-size: $(( ${mem} / 4 ))m"
	232	) > /etc/unbound/tuning.conf
	233	}
	234
	235	get_memory_amount() {
	236	local key val unit
	237
	238	while read -r key val unit; do
	239	case "${key}" in
	240	MemTotal:*)
	241	# Convert to MB
	242	echo "$(( ${val} / 1024 ))"
	243	break
	244	;;
	245	esac
	246	done < /proc/meminfo
	247	}
b8f5eda8	248
b29c97b1 AF	249	test_name_server() {
	250	local ns=${1}
	251
	252	# Return codes:
	253	# 0 DNSSEC validating
	254	# 1 Error: unreachable, etc.
	255	# 2 DNSSEC aware
	256	# 3 NOT DNSSEC-aware
	257
	258	# Exit when the server is not reachable
	259	ns_is_online ${ns} \|\| return 1
	260
	261	# Return 0 if validating
	262	ns_is_validating ${ns} && return 0
	263
	264	local errors
	265	for rr in DNSKEY DS RRSIG; do
	266	if ! ns_forwards_${rr} ${ns}; then
	267	errors="${errors} ${rr}"
	268	fi
	269	done
	270
	271	if [ -n "${errors}" ]; then
	272	echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
	273	return 3
	274	fi
	275
	276	# Is DNSSEC-aware
	277	return 2
	278	}
	279
	280	# Sends an A query to the nameserver w/o DNSSEC
	281	ns_is_online() {
	282	local ns=${1}
	283
	284	dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
	285	}
	286
	287	# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
	288	ns_is_validating() {
	289	local ns=${1}
	290
	291	dig @${ns} A ${TEST_DOMAIN_FAIL} \| grep -q SERVFAIL
	292	}
	293
	294	# Checks if we can retrieve the DNSKEY for this domain.
	295	# dig will print the SOA if nothing was found
	296	ns_forwards_DNSKEY() {
	297	local ns=${1}
	298
	299	dig @${ns} DNSKEY ${TEST_DOMAIN} \| grep -qv SOA
	300	}
	301
	302	ns_forwards_DS() {
	303	local ns=${1}
	304
	305	dig @${ns} DS ${TEST_DOMAIN} \| grep -qv SOA
	306	}
	307
	308	ns_forwards_RRSIG() {
	309	local ns=${1}
	310
	311	dig @${ns} +dnssec A ${TEST_DOMAIN} \| grep -q RRSIG
	312	}
313
314	ns_supports_tcp() {
315	local ns=${1}
316
317	dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null \|\| return 1
318	}
319
d0e5f71f ML	320	case "$1" in
d0e5f71f ML	321	start)
80bc6022 MT	322	# Print a nicer messagen when unbound is already running
	323	if pidofproc -s unbound; then
	324	statusproc /usr/sbin/unbound
	325	exit 0
	326	fi
	327
b8f5eda8	328	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
d0e5f71f	329
b8f5eda8 MT	330	# Create control keys at first run
	331	if [ ! -r "/etc/unbound/unbound_control.key" ]; then
	332	unbound-control-setup -d /etc/unbound &>/dev/null
	333	fi
	334
	335	# Update configuration files
b658a451	336	write_tuning_conf
b8f5eda8 MT	337	write_forward_conf
	338
	339	boot_mesg "Starting Unbound DNS Proxy..."
	340	loadproc /usr/sbin/unbound \|\| exit $?
	341
f75c279b AF	342	# Make own hostname resolveable
	343	own_hostname
	344
b8f5eda8 MT	345	# Update any known forwarding name servers
b8f5eda8 MT	346	update_forwarders
36792be6 MT	347
	348	# Update hosts
	349	update_hosts
b8f5eda8	350	;;
d0e5f71f ML	351
d0e5f71f ML	352	stop)
b8f5eda8 MT	353	boot_mesg "Stopping Unbound DNS Proxy..."
	354	killproc /usr/sbin/unbound
	355	;;
d0e5f71f ML	356
d0e5f71f ML	357	restart)
b8f5eda8 MT	358	$0 stop
	359	sleep 1
	360	$0 start
	361	;;
d0e5f71f ML	362
d0e5f71f ML	363	status)
b8f5eda8	364	statusproc /usr/sbin/unbound
b8f5eda8 MT	365	;;
	366
	367	update-forwarders)
	368	update_forwarders
	369	;;
d0e5f71f	370
b29c97b1 AF	371	test-name-server)
	372	ns=${2}
	373
	374	test_name_server ${ns}
	375	ret=${?}
	376
	377	case "${ret}" in
	378	0)
	379	echo "${ns} is validating"
	380	;;
	381	2)
	382	echo "${ns} is DNSSEC-aware"
	383	;;
	384	3)
	385	echo "${ns} is NOT DNSSEC-aware"
	386	;;
	387	*)
	388	echo "Test failed for an unknown reason"
	389	;;
	390	esac
	391
	392	if ns_supports_tcp ${ns}; then
	393	echo "${ns} supports TCP fallback"
	394	else
	395	echo "${ns} does not support TCP fallback"
	396	fi
	397
	398	exit ${ret}
	399	;;
	400
d0e5f71f	401	*)
b29c97b1	402	echo "Usage: $0 {start\|stop\|restart\|status\|update-forwarders\|test-name-server}"
b8f5eda8 MT	403	exit 1
b8f5eda8 MT	404	;;
d0e5f71f ML	405	esac
	406
	407	# End $rc_base/init.d/unbound