-update_forwarders() {
- check_red_has_carrier_and_ip
- if [ "${?}" = "1" ]; then
- local forwarders
- local broken_forwarders
-
- local ns
- for ns in $(read_name_servers); do
- test_name_server ${ns} &>/dev/null
- case "$?" in
- # Only use DNSSEC-validating or DNSSEC-aware name servers
- 0|2)
- forwarders="${forwarders} ${ns}"
- ;;
- *)
- broken_forwarders="${broken_forwarders} ${ns}"
- ;;
- esac
- done
-
- # Show warning for any broken upstream name servers
- if [ -n "${broken_forwarders}" ]; then
- boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
- echo_warning
- fi
-
- if [ -n "${forwarders}" ]; then
- boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
- echo_ok
-
- # Make sure DNSSEC is activated
- enable_dnssec
-
- echo "${forwarders}" > /var/ipfire/red/dns
- unbound-control -q forward ${forwarders}
- return 0
-
- # In case we have found no working forwarders
- else
- # Test if the recursor mode is available
- if can_resolve_root; then
- # Make sure DNSSEC is activated
- enable_dnssec
-
- boot_mesg "Falling back to recursor mode" ${WARNING}
- echo_warning
-
- # If not, we set DNSSEC in permissive mode and allow using all recursors
- elif [ -n "${broken_forwarders}" ]; then
- disable_dnssec
-
- boot_mesg "DNSSEC has been set to permissive mode" ${FAILURE}
- echo_failure
-
- echo "${broken_forwarders}" > /var/ipfire/red/dns
- unbound-control -q forward ${broken_forwarders}
- return 0
- fi
- fi
- fi
-
- # If forwarders cannot be used we run in recursor mode
- echo "local recursor" > /var/ipfire/red/dns
- unbound-control -q forward off
-}
-
-remove_forwarders() {
- enable_dnssec
- echo "local recursor" > /var/ipfire/red/dns
- unbound-control -q forward off
-
-}
-