local i
for i in 1 2; do
echo "$(</var/ipfire/red/dns${i})"
- done | xargs echo
+ done 2>/dev/null | xargs echo
}
config_header() {
local insecure_zones="${INSECURE_ZONES}"
- local enabled zone server remark
- while IFS="," read -r enabled zone server remark; do
+ local enabled zone server servers remark disable_dnssec rest
+ while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
*.local)
insecure_zones="${insecure_zones} ${zone}"
;;
+ *)
+ if [ "${disable_dnssec}" = "on" ]; then
+ insecure_zones="${insecure_zones} ${zone}"
+ fi
+ ;;
esac
- echo "forward-zone:"
- echo " name: ${zone}"
- echo " forward-addr: ${server}"
- echo
+ # Reverse-lookup zones must be stubs
+ case "${zone}" in
+ *.in-addr.arpa)
+ echo "stub-zone:"
+ echo " name: ${zone}"
+ for server in ${servers//|/ }; do
+ if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ echo " stub-addr: ${server}"
+ else
+ echo " stub-host: ${server}"
+ fi
+ done
+ echo
+ echo "server:"
+ echo " local-zone: \"${zone}\" transparent"
+ echo
+ ;;
+ *)
+ echo "forward-zone:"
+ echo " name: ${zone}"
+ for server in ${servers//|/ }; do
+ if [[ ${server} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+ echo " forward-addr: ${server}"
+ else
+ echo " forward-host: ${server}"
+ fi
+ done
+ echo
+ ;;
+ esac
done < /var/ipfire/dnsforward/config
if [ -n "${insecure_zones}" ]; then
# In the worst case scenario, unbound can use double the
# amount of memory allocated to a cache due to malloc overhead
+ # Even larger systems with more than 8GB of RAM
+ if [ ${mem} -ge 8192 ]; then
+ mem=1024
+
+ # Extra large systems with more than 4GB of RAM
+ elif [ ${mem} -ge 4096 ]; then
+ mem=512
+
# Large systems with more than 2GB of RAM
- if [ ${mem} -ge 2048 ]; then
+ elif [ ${mem} -ge 2048 ]; then
+ mem=256
+
+ # Medium systems with more than 1GB of RAM
+ elif [ ${mem} -ge 1024 ]; then
mem=128
# Small systems with less than 256MB of RAM
elif [ ${mem} -le 256 ]; then
- mem=8
+ mem=16
# Everything else
else
- mem=32
+ mem=64
fi
(
local ns=${1}
shift
- dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL
+ if ! dig @${ns} A ${TEST_DOMAIN_FAIL} $@ | grep -q SERVFAIL; then
+ return 1
+ else
+ # Determine if NS replies with "ad" data flag if DNSSEC enabled
+ dig @${ns} +dnssec SOA ${TEST_DOMAIN} $@ | awk -F: '/\;\;\ flags\:/ { s=1; if (/\ ad/) s=0; exit s }'
+ fi
}
# Checks if we can retrieve the DNSKEY for this domain.
enable_dnssec() {
local status=$(unbound-control get_option val-permissive-mode)
+ # Log DNSSEC status
+ echo "on" > /var/ipfire/red/dnssec-status
+
# Don't do anything if DNSSEC is already activated
[ "${status}" = "no" ] && return 0
}
disable_dnssec() {
+ # Log DNSSEC status
+ echo "off" > /var/ipfire/red/dnssec-status
+
unbound-control -q set_option val-permissive-mode: yes
}
+fix_time_if_dns_fail() {
+ # If DNS still not work try to init ntp with
+ # hardcoded ntp.ipfire.org (81.3.27.46)
+ if [ -e /var/ipfire/red/active ]; then
+ host 0.ipfire.pool.ntp.org > /dev/null 2>&1
+ if [ "${?}" != "0" ]; then
+ boot_mesg "DNS still not functioning... Trying to sync time with ntp.ipfire.org (81.3.27.46)..."
+ loadproc /usr/local/bin/settime 81.3.27.46
+ fi
+ fi
+}
+
case "$1" in
start)
# Print a nicer messagen when unbound is already running
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
- # Create control keys at first run
- if [ ! -r "/etc/unbound/unbound_control.key" ]; then
- unbound-control-setup -d /etc/unbound &>/dev/null
- fi
-
# Update configuration files
write_tuning_conf
write_forward_conf
# Update hosts
update_hosts
+
+ fix_time_if_dns_fail
;;
stop)
fi
update_forwarders
+
+ unbound-control flush_negative > /dev/null
+ unbound-control flush_bogus > /dev/null
+
+ fix_time_if_dns_fail
;;
test-name-server)
projects / people / pmueller / ipfire-2.x.git / blobdiff