2 # Begin $rc_base/init.d/unbound
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
10 TEST_DOMAIN
="ipfire.org"
12 # This domain will never validate
13 TEST_DOMAIN_FAIL
="dnssec-failed.org"
18 # Cache any local zones for 60 seconds
21 # Load optional configuration
22 [ -e "/etc/sysconfig/unbound" ] && .
/etc
/sysconfig
/unbound
26 IFS
=.
read -r i1 i2 i3 i4
<<< ${1}
27 IFS
=.
read -r m1 m2 m3
m4 <<< ${2}
28 cidr
=$
(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
42 *) echo "Error: $dec is not recognised"; exit 1
45 echo "${cidr}/${nbits}"
52 IFS
=.
read -r a1 a2 a3 a4
<<< ${addr}
54 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
60 echo "$(</var/ipfire/red/dns${i})"
65 echo "# This file is automatically generated and any changes"
66 echo "# will be overwritten. DO NOT EDIT!"
71 if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
73 local broken_forwarders
76 for ns
in $
(read_name_servers
); do
77 test_name_server
${ns} &>/dev
/null
79 # Only use DNSSEC-validating or DNSSEC-aware name servers
81 forwarders
="${forwarders} ${ns}"
84 broken_forwarders
="${broken_forwarders} ${ns}"
89 # Show warning for any broken upstream name servers
90 if [ -n "${broken_forwarders}" ]; then
91 boot_mesg
"Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
95 if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
96 boot_mesg
"Falling back to recursor mode" ${WARNING}
99 elif [ -n "${forwarders}" ]; then
100 boot_mesg
"Configuring upstream name server(s): ${forwarders:1}" ${INFO}
103 echo "${forwarders}" > /var
/ipfire
/red
/dns
104 unbound-control
-q forward
${forwarders}
109 # If forwarders cannot be used we run in recursor mode
110 echo "local recursor" > /var
/ipfire
/red
/dns
111 unbound-control
-q forward off
115 local hostname
=$
(hostname
-f)
116 # 1.1.1.1 is reserved for unused green, skip this
117 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
118 unbound-control
-q local_data
"${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
122 for address
in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
123 [ -n "${address}" ] ||
continue
124 [ "${address}" = "1.1.1.1" ] && continue
126 address
=$
(ip_address_revptr
${address})
127 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${hostname}"
132 local enabled address hostname domainname
134 while IFS
="," read -r enabled address hostname domainname
; do
135 [ "${enabled}" = "on" ] ||
continue
138 local fqdn
="${hostname}.${domainname}"
140 unbound-control
-q local_data
"${fqdn} ${LOCAL_TTL} IN A ${address}"
142 # Skip reverse resolution if the address equals the GREEN address
143 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
146 address
=$
(ip_address_revptr
${address})
147 unbound-control
-q local_data
"${address} ${LOCAL_TTL} IN PTR ${fqdn}"
148 done < /var
/ipfire
/main
/hosts
151 write_forward_conf
() {
155 local insecure_zones
="${INSECURE_ZONES}"
157 local enabled zone server remark
158 while IFS
="," read -r enabled zone server remark
; do
159 # Line must be enabled.
160 [ "${enabled}" = "on" ] ||
continue
162 # Zones that end with .local are commonly used for internal
163 # zones and therefore not signed
166 insecure_zones
="${insecure_zones} ${zone}"
171 echo " name: ${zone}"
172 echo " forward-addr: ${server}"
174 done < /var
/ipfire
/dnsforward
/config
176 if [ -n "${insecure_zones}" ]; then
179 for zone
in ${insecure_zones}; do
180 echo " domain-insecure: ${zone}"
183 ) > /etc
/unbound
/forward.conf
186 write_tuning_conf
() {
187 # https://www.unbound.net/documentation/howto_optimise.html
189 # Determine number of online processors
190 local processors
=$
(getconf _NPROCESSORS_ONLN
)
192 # Determine number of slabs
194 while [ ${slabs} -lt ${processors} ]; do
195 slabs
=$
(( ${slabs} * 2 ))
198 # Determine amount of system memory
199 local mem
=$
(get_memory_amount
)
201 # In the worst case scenario, unbound can use double the
202 # amount of memory allocated to a cache due to malloc overhead
204 # Large systems with more than 2GB of RAM
205 if [ ${mem} -ge 2048 ]; then
208 # Small systems with less than 256MB of RAM
209 elif [ ${mem} -le 256 ]; then
220 # We run one thread per processor
221 echo "num-threads: ${processors}"
223 # Adjust number of slabs
224 echo "infra-cache-slabs: ${slabs}"
225 echo "key-cache-slabs: ${slabs}"
226 echo "msg-cache-slabs: ${slabs}"
227 echo "rrset-cache-slabs: ${slabs}"
230 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
231 echo "msg-cache-size: $(( ${mem} / 4 ))m"
232 echo "key-cache-size: $(( ${mem} / 4 ))m"
233 ) > /etc
/unbound
/tuning.conf
236 get_memory_amount
() {
239 while read -r key val unit
; do
243 echo "$(( ${val} / 1024 ))"
254 # 0 DNSSEC validating
255 # 1 Error: unreachable, etc.
259 # Exit when the server is not reachable
260 ns_is_online
${ns} ||
return 1
262 # Return 0 if validating
263 ns_is_validating
${ns} && return 0
266 for rr
in DNSKEY DS RRSIG
; do
267 if ! ns_forwards_
${rr} ${ns}; then
268 errors
="${errors} ${rr}"
272 if [ -n "${errors}" ]; then
273 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
281 # Sends an A query to the nameserver w/o DNSSEC
285 dig @
${ns} +nodnssec A
${TEST_DOMAIN} >/dev
/null
288 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
292 dig @
${ns} A
${TEST_DOMAIN_FAIL} |
grep -q SERVFAIL
295 # Checks if we can retrieve the DNSKEY for this domain.
296 # dig will print the SOA if nothing was found
297 ns_forwards_DNSKEY
() {
300 dig @
${ns} DNSKEY
${TEST_DOMAIN} |
grep -qv SOA
306 dig @
${ns} DS
${TEST_DOMAIN} |
grep -qv SOA
309 ns_forwards_RRSIG
() {
312 dig @
${ns} +dnssec A
${TEST_DOMAIN} |
grep -q RRSIG
318 dig @
${ns} +tcp A
${TEST_DOMAIN} >/dev
/null ||
return 1
323 # Print a nicer messagen when unbound is already running
324 if pidofproc
-s unbound
; then
325 statusproc
/usr
/sbin
/unbound
329 eval $
(/usr
/local
/bin
/readhash
/var
/ipfire
/ethernet
/settings
)
331 # Create control keys at first run
332 if [ ! -r "/etc/unbound/unbound_control.key" ]; then
333 unbound-control-setup
-d /etc
/unbound
&>/dev
/null
336 # Update configuration files
340 boot_mesg
"Starting Unbound DNS Proxy..."
341 loadproc
/usr
/sbin
/unbound ||
exit $?
343 # Make own hostname resolveable
346 # Update any known forwarding name servers
354 boot_mesg
"Stopping Unbound DNS Proxy..."
355 killproc
/usr
/sbin
/unbound
365 statusproc
/usr
/sbin
/unbound
369 # Do not try updating forwarders when unbound is not running
370 if ! pgrep unbound
&>/dev
/null
; then
380 test_name_server
${ns}
385 echo "${ns} is validating"
388 echo "${ns} is DNSSEC-aware"
391 echo "${ns} is NOT DNSSEC-aware"
394 echo "Test failed for an unknown reason"
398 if ns_supports_tcp
${ns}; then
399 echo "${ns} supports TCP fallback"
401 echo "${ns} does not support TCP fallback"
408 echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
413 # End $rc_base/init.d/unbound