# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
-function cidr() {
- local cidr nbits IFS;
- IFS=. read -r i1 i2 i3 i4 <<< ${1}
- IFS=. read -r m1 m2 m3 m4 <<< ${2}
- cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
- nbits=0
- IFS=.
- for dec in $2 ; do
- case $dec in
- 255) let nbits+=8;;
- 254) let nbits+=7;;
- 252) let nbits+=6;;
- 248) let nbits+=5;;
- 240) let nbits+=4;;
- 224) let nbits+=3;;
- 192) let nbits+=2;;
- 128) let nbits+=1;;
- 0);;
- *) echo "Error: $dec is not recognised"; exit 1
- esac
- done
- echo "${cidr}/${nbits}"
-}
-
ip_address_revptr() {
local addr=${1}
}
update_hosts() {
- local enabled address hostname domainname
+ local enabled address hostname domainname generateptr
- while IFS="," read -r enabled address hostname domainname; do
+ while IFS="," read -r enabled address hostname domainname generateptr; do
[ "${enabled}" = "on" ] || continue
# Build FQDN
# Skip reverse resolution if the address equals the GREEN address
[ "${address}" = "${GREEN_ADDRESS}" ] && continue
+ # Skip reverse resolution if user requested not to do so
+ [ "${generateptr}" = "off" ] && continue
+
# Add RDNS
address=$(ip_address_revptr ${address})
unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
local insecure_zones="${INSECURE_ZONES}"
- local enabled zone server remark
- while IFS="," read -r enabled zone server remark; do
+ local enabled zone server servers remark disable_dnssec rest
+ while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
*.local)
insecure_zones="${insecure_zones} ${zone}"
;;
+ *)
+ if [ "${disable_dnssec}" = "on" ]; then
+ insecure_zones="${insecure_zones} ${zone}"
+ fi
+ ;;
esac
- echo "forward-zone:"
- echo " name: ${zone}"
- echo " forward-addr: ${server}"
- echo
+ # Reverse-lookup zones must be stubs
+ case "${zone}" in
+ *.in-addr.arpa)
+ echo "stub-zone:"
+ echo " name: ${zone}"
+ for server in ${servers//|/ }; do
+ if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ echo " stub-addr: ${server}"
+ else
+ echo " stub-host: ${server}"
+ fi
+ done
+ echo
+ echo "server:"
+ echo " local-zone: \"${zone}\" transparent"
+ echo
+ ;;
+ *)
+ echo "forward-zone:"
+ echo " name: ${zone}"
+ for server in ${servers//|/ }; do
+ if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ echo " forward-addr: ${server}"
+ else
+ echo " forward-host: ${server}"
+ fi
+ done
+ echo
+ ;;
+ esac
done < /var/ipfire/dnsforward/config
if [ -n "${insecure_zones}" ]; then
local ns=${1}
shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+ if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+ return 1
+ else
+ # Determine if NS replies with "ad" data flag if DNSSEC enabled
+ dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+ fi
}
# Checks if we can retrieve the DNSKEY for this domain.
if [ -e /var/ipfire/red/active ]; then
host 0.ipfire.pool.ntp.org > /dev/null 2>&1
if [ "${?}" != "0" ]; then
- boot_mesg "DNS still not work ... init time with ntp.ipfire.org at 81.3.27.46 ..."
+ boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
loadproc /usr/local/bin/settime 81.3.27.46
fi
fi
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
- # Create control keys at first run
- if [ ! -r "/etc/unbound/unbound_control.key" ]; then
- unbound-control-setup -d /etc/unbound &>/dev/null
- fi
-
# Update configuration files
write_tuning_conf
write_forward_conf