]> git.ipfire.org Git - ipfire-2.x.git/blob - src/initscripts/init.d/unbound
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Always enable asynchronous logging
[ipfire-2.x.git] / src / initscripts / init.d / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 INSECURE_ZONES=
16 USE_FORWARDERS=1
17
18 # Cache any local zones for 60 seconds
19 LOCAL_TTL=60
20
21 # Load optional configuration
22 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
23
24 function cidr() {
25 local cidr nbits IFS;
26 IFS=. read -r i1 i2 i3 i4 <<< ${1}
27 IFS=. read -r m1 m2 m3 m4 <<< ${2}
28 cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
29 nbits=0
30 IFS=.
31 for dec in $2 ; do
32 case $dec in
33 255) let nbits+=8;;
34 254) let nbits+=7;;
35 252) let nbits+=6;;
36 248) let nbits+=5;;
37 240) let nbits+=4;;
38 224) let nbits+=3;;
39 192) let nbits+=2;;
40 128) let nbits+=1;;
41 0);;
42 *) echo "Error: $dec is not recognised"; exit 1
43 esac
44 done
45 echo "${cidr}/${nbits}"
46 }
47
48 ip_address_revptr() {
49 local addr=${1}
50
51 local a1 a2 a3 a4
52 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
53
54 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
55 }
56
57 read_name_servers() {
58 local i
59 for i in 1 2; do
60 echo "$(</var/ipfire/red/dns${i})"
61 done | xargs echo
62 }
63
64 config_header() {
65 echo "# This file is automatically generated and any changes"
66 echo "# will be overwritten. DO NOT EDIT!"
67 echo
68 }
69
70 update_forwarders() {
71 if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
72 local forwarders
73 local broken_forwarders
74
75 local ns
76 for ns in $(read_name_servers); do
77 test_name_server ${ns} &>/dev/null
78 case "$?" in
79 # Only use DNSSEC-validating or DNSSEC-aware name servers
80 0|2)
81 forwarders="${forwarders} ${ns}"
82 ;;
83 *)
84 broken_forwarders="${broken_forwarders} ${ns}"
85 ;;
86 esac
87 done
88
89 # Show warning for any broken upstream name servers
90 if [ -n "${broken_forwarders}" ]; then
91 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
92 echo_warning
93 fi
94
95 if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
96 boot_mesg "Falling back to recursor mode" ${WARNING}
97 echo_warning
98
99 elif [ -n "${forwarders}" ]; then
100 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
101 echo_ok
102
103 echo "${forwarders}" > /var/ipfire/red/dns
104 unbound-control -q forward ${forwarders}
105 return 0
106 fi
107 fi
108
109 # If forwarders cannot be used we run in recursor mode
110 echo "local recursor" > /var/ipfire/red/dns
111 unbound-control -q forward off
112 }
113
114 own_hostname() {
115 local hostname=$(hostname -f)
116 # 1.1.1.1 is reserved for unused green, skip this
117 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
118 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
119 fi
120
121 local address
122 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
123 [ -n "${address}" ] || continue
124 [ "${address}" = "1.1.1.1" ] && continue
125
126 address=$(ip_address_revptr ${address})
127 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
128 done
129 }
130
131 update_hosts() {
132 local enabled address hostname domainname
133
134 while IFS="," read -r enabled address hostname domainname; do
135 [ "${enabled}" = "on" ] || continue
136
137 # Build FQDN
138 local fqdn="${hostname}.${domainname}"
139
140 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
141
142 # Skip reverse resolution if the address equals the GREEN address
143 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
144
145 # Add RDNS
146 address=$(ip_address_revptr ${address})
147 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
148 done < /var/ipfire/main/hosts
149 }
150
151 write_forward_conf() {
152 (
153 config_header
154
155 local insecure_zones="${INSECURE_ZONES}"
156
157 local enabled zone server remark
158 while IFS="," read -r enabled zone server remark; do
159 # Line must be enabled.
160 [ "${enabled}" = "on" ] || continue
161
162 # Zones that end with .local are commonly used for internal
163 # zones and therefore not signed
164 case "${zone}" in
165 *.local)
166 insecure_zones="${insecure_zones} ${zone}"
167 ;;
168 esac
169
170 echo "forward-zone:"
171 echo " name: ${zone}"
172 echo " forward-addr: ${server}"
173 echo
174 done < /var/ipfire/dnsforward/config
175
176 if [ -n "${insecure_zones}" ]; then
177 echo "server:"
178
179 for zone in ${insecure_zones}; do
180 echo " domain-insecure: ${zone}"
181 done
182 fi
183 ) > /etc/unbound/forward.conf
184 }
185
186 write_tuning_conf() {
187 # https://www.unbound.net/documentation/howto_optimise.html
188
189 # Determine number of online processors
190 local processors=$(getconf _NPROCESSORS_ONLN)
191
192 # Determine number of slabs
193 local slabs=1
194 while [ ${slabs} -lt ${processors} ]; do
195 slabs=$(( ${slabs} * 2 ))
196 done
197
198 # Determine amount of system memory
199 local mem=$(get_memory_amount)
200
201 # In the worst case scenario, unbound can use double the
202 # amount of memory allocated to a cache due to malloc overhead
203
204 # Large systems with more than 2GB of RAM
205 if [ ${mem} -ge 2048 ]; then
206 mem=128
207
208 # Small systems with less than 256MB of RAM
209 elif [ ${mem} -le 256 ]; then
210 mem=8
211
212 # Everything else
213 else
214 mem=32
215 fi
216
217 (
218 config_header
219
220 # We run one thread per processor
221 echo "num-threads: ${processors}"
222
223 # Adjust number of slabs
224 echo "infra-cache-slabs: ${slabs}"
225 echo "key-cache-slabs: ${slabs}"
226 echo "msg-cache-slabs: ${slabs}"
227 echo "rrset-cache-slabs: ${slabs}"
228
229 # Slice up the cache
230 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
231 echo "msg-cache-size: $(( ${mem} / 4 ))m"
232 echo "key-cache-size: $(( ${mem} / 4 ))m"
233 ) > /etc/unbound/tuning.conf
234 }
235
236 get_memory_amount() {
237 local key val unit
238
239 while read -r key val unit; do
240 case "${key}" in
241 MemTotal:*)
242 # Convert to MB
243 echo "$(( ${val} / 1024 ))"
244 break
245 ;;
246 esac
247 done < /proc/meminfo
248 }
249
250 test_name_server() {
251 local ns=${1}
252
253 # Return codes:
254 # 0 DNSSEC validating
255 # 1 Error: unreachable, etc.
256 # 2 DNSSEC aware
257 # 3 NOT DNSSEC-aware
258
259 # Exit when the server is not reachable
260 ns_is_online ${ns} || return 1
261
262 # Return 0 if validating
263 ns_is_validating ${ns} && return 0
264
265 local errors
266 for rr in DNSKEY DS RRSIG; do
267 if ! ns_forwards_${rr} ${ns}; then
268 errors="${errors} ${rr}"
269 fi
270 done
271
272 if [ -n "${errors}" ]; then
273 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
274 return 3
275 fi
276
277 # Is DNSSEC-aware
278 return 2
279 }
280
281 # Sends an A query to the nameserver w/o DNSSEC
282 ns_is_online() {
283 local ns=${1}
284
285 dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
286 }
287
288 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
289 ns_is_validating() {
290 local ns=${1}
291
292 dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
293 }
294
295 # Checks if we can retrieve the DNSKEY for this domain.
296 # dig will print the SOA if nothing was found
297 ns_forwards_DNSKEY() {
298 local ns=${1}
299
300 dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
301 }
302
303 ns_forwards_DS() {
304 local ns=${1}
305
306 dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
307 }
308
309 ns_forwards_RRSIG() {
310 local ns=${1}
311
312 dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
313 }
314
315 ns_supports_tcp() {
316 local ns=${1}
317
318 dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
319 }
320
321 case "$1" in
322 start)
323 # Print a nicer messagen when unbound is already running
324 if pidofproc -s unbound; then
325 statusproc /usr/sbin/unbound
326 exit 0
327 fi
328
329 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
330
331 # Create control keys at first run
332 if [ ! -r "/etc/unbound/unbound_control.key" ]; then
333 unbound-control-setup -d /etc/unbound &>/dev/null
334 fi
335
336 # Update configuration files
337 write_tuning_conf
338 write_forward_conf
339
340 boot_mesg "Starting Unbound DNS Proxy..."
341 loadproc /usr/sbin/unbound || exit $?
342
343 # Make own hostname resolveable
344 own_hostname
345
346 # Update any known forwarding name servers
347 update_forwarders
348
349 # Update hosts
350 update_hosts
351 ;;
352
353 stop)
354 boot_mesg "Stopping Unbound DNS Proxy..."
355 killproc /usr/sbin/unbound
356 ;;
357
358 restart)
359 $0 stop
360 sleep 1
361 $0 start
362 ;;
363
364 status)
365 statusproc /usr/sbin/unbound
366 ;;
367
368 update-forwarders)
369 update_forwarders
370 ;;
371
372 test-name-server)
373 ns=${2}
374
375 test_name_server ${ns}
376 ret=${?}
377
378 case "${ret}" in
379 0)
380 echo "${ns} is validating"
381 ;;
382 2)
383 echo "${ns} is DNSSEC-aware"
384 ;;
385 3)
386 echo "${ns} is NOT DNSSEC-aware"
387 ;;
388 *)
389 echo "Test failed for an unknown reason"
390 ;;
391 esac
392
393 if ns_supports_tcp ${ns}; then
394 echo "${ns} supports TCP fallback"
395 else
396 echo "${ns} does not support TCP fallback"
397 fi
398
399 exit ${ret}
400 ;;
401
402 *)
403 echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
404 exit 1
405 ;;
406 esac
407
408 # End $rc_base/init.d/unbound
IPFire 2.x development tree