]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/initscripts/init.d/unbound
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
unbound: Fix DNS forwarder test
[people/pmueller/ipfire-2.x.git] / src / initscripts / init.d / unbound
1 #!/bin/sh
2 # Begin $rc_base/init.d/unbound
3
4 # Description : Unbound DNS resolver boot script for IPfire
5 # Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
6
7 . /etc/sysconfig/rc
8 . ${rc_functions}
9
10 TEST_DOMAIN="ipfire.org"
11
12 # This domain will never validate
13 TEST_DOMAIN_FAIL="dnssec-failed.org"
14
15 INSECURE_ZONES=
16 USE_FORWARDERS=1
17
18 # Cache any local zones for 60 seconds
19 LOCAL_TTL=60
20
21 # Load optional configuration
22 [ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
23
24 function cidr() {
25 local cidr nbits IFS;
26 IFS=. read -r i1 i2 i3 i4 <<< ${1}
27 IFS=. read -r m1 m2 m3 m4 <<< ${2}
28 cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
29 nbits=0
30 IFS=.
31 for dec in $2 ; do
32 case $dec in
33 255) let nbits+=8;;
34 254) let nbits+=7;;
35 252) let nbits+=6;;
36 248) let nbits+=5;;
37 240) let nbits+=4;;
38 224) let nbits+=3;;
39 192) let nbits+=2;;
40 128) let nbits+=1;;
41 0);;
42 *) echo "Error: $dec is not recognised"; exit 1
43 esac
44 done
45 echo "${cidr}/${nbits}"
46 }
47
48 ip_address_revptr() {
49 local addr=${1}
50
51 local a1 a2 a3 a4
52 IFS=. read -r a1 a2 a3 a4 <<< ${addr}
53
54 echo "${a4}.${a3}.${a2}.${a1}.in-addr.arpa"
55 }
56
57 read_name_servers() {
58 local i
59 for i in 1 2; do
60 echo "$(</var/ipfire/red/dns${i})"
61 done | xargs echo
62 }
63
64 config_header() {
65 echo "# This file is automatically generated and any changes"
66 echo "# will be overwritten. DO NOT EDIT!"
67 echo
68 }
69
70 update_forwarders() {
71 if [ "${USE_FORWARDERS}" = "1" -a -e "/var/ipfire/red/active" ]; then
72 local forwarders
73 local broken_forwarders
74
75 local ns
76 for ns in $(read_name_servers); do
77 test_name_server ${ns} &>/dev/null
78 case "$?" in
79 # Only use DNSSEC-validating or DNSSEC-aware name servers
80 0|2)
81 forwarders="${forwarders} ${ns}"
82 ;;
83 *)
84 broken_forwarders="${broken_forwarders} ${ns}"
85 ;;
86 esac
87 done
88
89 # Show warning for any broken upstream name servers
90 if [ -n "${broken_forwarders}" ]; then
91 boot_mesg "Ignoring broken upstream name server(s): ${broken_forwarders:1}" ${WARNING}
92 echo_warning
93 fi
94
95 if [ -n "${broken_forwarders}" -a -z "${forwarders}" ]; then
96 boot_mesg "Falling back to recursor mode" ${WARNING}
97 echo_warning
98
99 elif [ -n "${forwarders}" ]; then
100 boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO}
101 echo_ok
102
103 echo "${forwarders}" > /var/ipfire/red/dns
104 unbound-control -q forward ${forwarders}
105 return 0
106 fi
107 fi
108
109 # If forwarders cannot be used we run in recursor mode
110 echo "local recursor" > /var/ipfire/red/dns
111 unbound-control -q forward off
112 }
113
114 own_hostname() {
115 local hostname=$(hostname -f)
116 # 1.1.1.1 is reserved for unused green, skip this
117 if [ -n "${GREEN_ADDRESS}" -a "${GREEN_ADDRESS}" != "1.1.1.1" ]; then
118 unbound-control -q local_data "${hostname} ${LOCAL_TTL} IN A ${GREEN_ADDRESS}"
119 fi
120
121 local address
122 for address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
123 [ -n "${address}" ] || continue
124 [ "${address}" = "1.1.1.1" ] && continue
125
126 address=$(ip_address_revptr ${address})
127 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${hostname}"
128 done
129 }
130
131 update_hosts() {
132 local enabled address hostname domainname
133
134 while IFS="," read -r enabled address hostname domainname; do
135 [ "${enabled}" = "on" ] || continue
136
137 # Build FQDN
138 local fqdn="${hostname}.${domainname}"
139
140 unbound-control -q local_data "${fqdn} ${LOCAL_TTL} IN A ${address}"
141
142 # Skip reverse resolution if the address equals the GREEN address
143 [ "${address}" = "${GREEN_ADDRESS}" ] && continue
144
145 # Add RDNS
146 address=$(ip_address_revptr ${address})
147 unbound-control -q local_data "${address} ${LOCAL_TTL} IN PTR ${fqdn}"
148 done < /var/ipfire/main/hosts
149 }
150
151 write_forward_conf() {
152 (
153 config_header
154
155 local insecure_zones="${INSECURE_ZONES}"
156
157 local enabled zone server remark
158 while IFS="," read -r enabled zone server remark; do
159 # Line must be enabled.
160 [ "${enabled}" = "on" ] || continue
161
162 # Zones that end with .local are commonly used for internal
163 # zones and therefore not signed
164 case "${zone}" in
165 *.local)
166 insecure_zones="${insecure_zones} ${zone}"
167 ;;
168 esac
169
170 echo "forward-zone:"
171 echo " name: ${zone}"
172 echo " forward-addr: ${server}"
173 echo
174 done < /var/ipfire/dnsforward/config
175
176 if [ -n "${insecure_zones}" ]; then
177 echo "server:"
178
179 for zone in ${insecure_zones}; do
180 echo " domain-insecure: ${zone}"
181 done
182 fi
183 ) > /etc/unbound/forward.conf
184 }
185
186 write_tuning_conf() {
187 # https://www.unbound.net/documentation/howto_optimise.html
188
189 # Determine number of online processors
190 local processors=$(getconf _NPROCESSORS_ONLN)
191
192 # Determine number of slabs
193 local slabs=1
194 while [ ${slabs} -lt ${processors} ]; do
195 slabs=$(( ${slabs} * 2 ))
196 done
197
198 # Determine amount of system memory
199 local mem=$(get_memory_amount)
200
201 # In the worst case scenario, unbound can use double the
202 # amount of memory allocated to a cache due to malloc overhead
203
204 # Large systems with more than 2GB of RAM
205 if [ ${mem} -ge 2048 ]; then
206 mem=128
207
208 # Small systems with less than 256MB of RAM
209 elif [ ${mem} -le 256 ]; then
210 mem=8
211
212 # Everything else
213 else
214 mem=32
215 fi
216
217 (
218 config_header
219
220 # We run one thread per processor
221 echo "num-threads: ${processors}"
222
223 # Adjust number of slabs
224 echo "infra-cache-slabs: ${slabs}"
225 echo "key-cache-slabs: ${slabs}"
226 echo "msg-cache-slabs: ${slabs}"
227 echo "rrset-cache-slabs: ${slabs}"
228
229 # Slice up the cache
230 echo "rrset-cache-size: $(( ${mem} / 2 ))m"
231 echo "msg-cache-size: $(( ${mem} / 4 ))m"
232 echo "key-cache-size: $(( ${mem} / 4 ))m"
233 ) > /etc/unbound/tuning.conf
234 }
235
236 get_memory_amount() {
237 local key val unit
238
239 while read -r key val unit; do
240 case "${key}" in
241 MemTotal:*)
242 # Convert to MB
243 echo "$(( ${val} / 1024 ))"
244 break
245 ;;
246 esac
247 done < /proc/meminfo
248 }
249
250 test_name_server() {
251 local ns=${1}
252
253 # Return codes:
254 # 0 DNSSEC validating
255 # 1 Error: unreachable, etc.
256 # 2 DNSSEC aware
257 # 3 NOT DNSSEC-aware
258
259 # Exit when the server is not reachable
260 ns_is_online ${ns} || return 1
261
262 local errors
263 for rr in DNSKEY DS RRSIG; do
264 if ! ns_forwards_${rr} ${ns}; then
265 errors="${errors} ${rr}"
266 fi
267 done
268
269 if [ -n "${errors}" ]; then
270 echo >&2 "Unable to retrieve the following resource records from ${ns}: ${errors:1}"
271 return 3
272 fi
273
274 if ns_is_validating ${ns}; then
275 # Return 0 if validating
276 return 0
277 else
278 # Is DNSSEC-aware
279 return 2
280 fi
281 }
282
283 # Sends an A query to the nameserver w/o DNSSEC
284 ns_is_online() {
285 local ns=${1}
286
287 dig @${ns} +nodnssec A ${TEST_DOMAIN} >/dev/null
288 }
289
290 # Resolving ${TEST_DOMAIN_FAIL} will fail if the nameserver is validating
291 ns_is_validating() {
292 local ns=${1}
293
294 dig @${ns} A ${TEST_DOMAIN_FAIL} | grep -q SERVFAIL
295 }
296
297 # Checks if we can retrieve the DNSKEY for this domain.
298 # dig will print the SOA if nothing was found
299 ns_forwards_DNSKEY() {
300 local ns=${1}
301
302 dig @${ns} DNSKEY ${TEST_DOMAIN} | grep -qv SOA
303 }
304
305 ns_forwards_DS() {
306 local ns=${1}
307
308 dig @${ns} DS ${TEST_DOMAIN} | grep -qv SOA
309 }
310
311 ns_forwards_RRSIG() {
312 local ns=${1}
313
314 dig @${ns} +dnssec A ${TEST_DOMAIN} | grep -q RRSIG
315 }
316
317 ns_supports_tcp() {
318 local ns=${1}
319
320 dig @${ns} +tcp A ${TEST_DOMAIN} >/dev/null || return 1
321 }
322
323 case "$1" in
324 start)
325 # Print a nicer messagen when unbound is already running
326 if pidofproc -s unbound; then
327 statusproc /usr/sbin/unbound
328 exit 0
329 fi
330
331 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
332
333 # Create control keys at first run
334 if [ ! -r "/etc/unbound/unbound_control.key" ]; then
335 unbound-control-setup -d /etc/unbound &>/dev/null
336 fi
337
338 # Update configuration files
339 write_tuning_conf
340 write_forward_conf
341
342 boot_mesg "Starting Unbound DNS Proxy..."
343 loadproc /usr/sbin/unbound || exit $?
344
345 # Make own hostname resolveable
346 own_hostname
347
348 # Update any known forwarding name servers
349 update_forwarders
350
351 # Update hosts
352 update_hosts
353 ;;
354
355 stop)
356 boot_mesg "Stopping Unbound DNS Proxy..."
357 killproc /usr/sbin/unbound
358 ;;
359
360 restart)
361 $0 stop
362 sleep 1
363 $0 start
364 ;;
365
366 status)
367 statusproc /usr/sbin/unbound
368 ;;
369
370 update-forwarders)
371 # Do not try updating forwarders when unbound is not running
372 if ! pgrep unbound &>/dev/null; then
373 exit 0
374 fi
375
376 update_forwarders
377 ;;
378
379 test-name-server)
380 ns=${2}
381
382 test_name_server ${ns}
383 ret=${?}
384
385 case "${ret}" in
386 0)
387 echo "${ns} is validating"
388 ;;
389 2)
390 echo "${ns} is DNSSEC-aware"
391 ;;
392 3)
393 echo "${ns} is NOT DNSSEC-aware"
394 ;;
395 *)
396 echo "Test failed for an unknown reason"
397 ;;
398 esac
399
400 if ns_supports_tcp ${ns}; then
401 echo "${ns} supports TCP fallback"
402 else
403 echo "${ns} does not support TCP fallback"
404 fi
405
406 exit ${ret}
407 ;;
408
409 *)
410 echo "Usage: $0 {start|stop|restart|status|update-forwarders|test-name-server}"
411 exit 1
412 ;;
413 esac
414
415 # End $rc_base/init.d/unbound
Peter's tree of IPFire 2.x