# This domain will never validate
TEST_DOMAIN_FAIL="dnssec-failed.org"
+INSECURE_ZONES=
USE_FORWARDERS=1
# Cache any local zones for 60 seconds
LOCAL_TTL=60
+# EDNS buffer size
+EDNS_DEFAULT_BUFFER_SIZE=4096
+
# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
esac
done
+ # Determine EDNS buffer size
+ local new_edns_buffer_size=${EDNS_DEFAULT_BUFFER_SIZE}
+
+ for ns in ${forwarders}; do
+ local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
+ if [ -n "${edns_buffer_size}" ]; then
+ if [ ${edns_buffer_size} -lt ${new_edns_buffer_size} ]; then
+ new_edns_buffer_size=${edns_buffer_size}
+ fi
+ fi
+ done
+
+ if [ ${new_edns_buffer_size} -lt ${EDNS_DEFAULT_BUFFER_SIZE} ]; then
+ boot_mesg "EDNS buffer size reduced to ${new_edns_buffer_size}" ${WARNING}
+ echo_warning
+
+ unbound-control -q set_option edns-buffer-size: ${new_edns_buffer_size}
+ fi
+
# Show warning for any broken upstream name servers
if [ -n "${broken_forwarders}" ]; then
boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
own_hostname() {
local hostname=$(hostname -f)
- # 1.1.1.1 is reserved for green only, skip this
+ # 1.1.1.1 is reserved for unused green, skip this
if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
fi
unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
+ # Skip reverse resolution if the address equals the GREEN address
+ [ "${address}" = "${GREEN_ADDRESS}" ] && continue
+
# Add RDNS
address=$(ip_address_revptr ${address})
unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
done < /var/ipfire/main/hosts
}
-write_interfaces_conf() {
- (
- config_header
-
- if [ -n "${GREEN_ADDRESS}" ]; then
- echo "# GREEN"
- echo "interface: ${GREEN_ADDRESS}"
- echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
- fi
-
- if [ -n "${BLUE_ADDRESS}" ]; then
- echo "# BLUE"
- echo "interface: ${BLUE_ADDRESS}"
- echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
- fi
- ) > /etc/unbound/interfaces.conf
-}
-
write_forward_conf() {
(
config_header
+ local insecure_zones="${INSECURE_ZONES}"
+
local enabled zone server remark
while IFS="," read -r enabled zone server remark; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
+ # Zones that end with .local are commonly used for internal
+ # zones and therefore not signed
+ case "${zone}" in
+ *.local)
+ insecure_zones="${insecure_zones} ${zone}"
+ ;;
+ esac
+
echo "forward-zone:"
echo " name: ${zone}"
echo " forward-addr: ${server}"
echo
done < /var/ipfire/dnsforward/config
+
+ if [ -n "${insecure_zones}" ]; then
+ echo "server:"
+
+ for zone in ${insecure_zones}; do
+ echo " domain-insecure: ${zone}"
+ done
+ fi
) > /etc/unbound/forward.conf
}
test_name_server() {
local ns=${1}
+ local args
# Return codes:
# 0 DNSSEC validating
# Exit when the server is not reachable
ns_is_online ${ns} || return 1
- # Return 0 if validating
- ns_is_validating ${ns} && return 0
+ # Determine the maximum edns buffer size that works
+ local edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
+ if [ -n "${edns_buffer_size}" ]; then
+ args="${args} +bufsize=${edns_buffer_size}"
+ fi
local errors
for rr in DNSKEY DS RRSIG; do
- if ! ns_forwards_${rr} ${ns}; then
+ if ! ns_forwards_${rr} ${ns} ${args}; then
errors="${errors} ${rr}"
fi
done
return 3
fi
- # Is DNSSEC-aware
- return 2
+ if ns_is_validating ${ns} ${args}; then
+ # Return 0 if validating
+ return 0
+ else
+ # Is DNSSEC-aware
+ return 2
+ fi
}
# Sends an A query to the nameserver w/o DNSSEC
ns_is_online() {
local ns=${1}
+ shift
- dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
+ dig @${ns} +nodnssec A ${TEST_DOMAIN} $@ >/dev/null
}
# Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
ns_is_validating() {
local ns=${1}
+ shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
+ dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
}
# Checks if we can retrieve the DNSKEY for this domain.
# dig will print the SOA if nothing was found
ns_forwards_DNSKEY() {
local ns=${1}
+ shift
- dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
+ dig @${ns} DNSKEY ${TEST_DOMAIN} $@ | grep -qv SOA
}
ns_forwards_DS() {
local ns=${1}
+ shift
- dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
+ dig @${ns} DS ${TEST_DOMAIN} $@ | grep -qv SOA
}
ns_forwards_RRSIG() {
local ns=${1}
+ shift
- dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
+ dig @${ns} +dnssec A ${TEST_DOMAIN} $@ | grep -q RRSIG
}
ns_supports_tcp() {
local ns=${1}
+ shift
+
+ dig @${ns} +tcp A ${TEST_DOMAIN} $@ >/dev/null || return 1
+}
+
+ns_determine_edns_buffer_size() {
+ local ns=${1}
+ shift
+
+ local b
+ for b in 4096 2048 1500 1480 1464 1400 1280 512; do
+ if dig @${ns} +dnssec +bufsize=${b} A ${TEST_DOMAIN} $@ >/dev/null; then
+ echo "${b}"
+ return 0
+ fi
+ done
- dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
+ return 1
}
case "$1" in
# Update configuration files
write_tuning_conf
- write_interfaces_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
;;
update-forwarders)
+ # Do not try updating forwarders when unbound is not running
+ if ! pgrep unbound &>/dev/null; then
+ exit 0
+ fi
+
update_forwarders
;;
;;
*)
echo "Test failed for an unknown reason"
+ exit ${ret}
;;
esac
echo "${ns} does not support TCP fallback"
fi
+ edns_buffer_size=$(ns_determine_edns_buffer_size ${ns})
+ if [ -n "${edns_buffer_size}" ]; then
+ echo "EDNS buffer size for ${ns}: ${edns_buffer_size}"
+ fi
+
exit ${ret}
;;