You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

127 lines
3.5 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # This component will copy root.key back to /etc/unbound/ periodically, but
  18. # avoid ROM flash abuse (UCI option).
  19. #
  20. ##############################################################################
  21. . /usr/lib/unbound/defaults.sh
  22. ##############################################################################
  23. roothints_update() {
  24. # TODO: Might not be implemented. Unbound doesn't natively update hints.
  25. # Unbound philosophy is built in root hints are good for machine life.
  26. return 0
  27. }
  28. ##############################################################################
  29. rootkey_update() {
  30. local basekey_date rootkey_date rootkey_age filestuff
  31. local dnssec=$( uci_get unbound.@unbound[0].validator )
  32. local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
  33. local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
  34. # fix empty
  35. [ -z "$dnssec" ] && dnssec=0
  36. [ -z "$dnssec_ntp" ] && dnssec_ntp=1
  37. [ -z "$dnssec_age" ] && dnssec_age=9
  38. if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
  39. # Feature disabled
  40. return 0
  41. elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UB_TIME_FILE" ] ; then
  42. # We don't have time yet
  43. return 0
  44. fi
  45. if [ -f /etc/unbound/root.key ] ; then
  46. basekey_date=$( date -r /etc/unbound/root.key +%s )
  47. else
  48. # No persistent storage key
  49. basekey_date=$( date -d 2000-01-01 +%s )
  50. fi
  51. if [ -f "$UB_RKEY_FILE" ] ; then
  52. # Unbound maintains it itself
  53. rootkey_date=$( date -r $UB_RKEY_FILE +%s )
  54. rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
  55. elif [ -x "$UB_ANCHOR" ] ; then
  56. # No tmpfs key - use unbound-anchor
  57. rootkey_date=$( date -I +%s )
  58. rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
  59. $UB_ANCHOR -a $UB_RKEY_FILE
  60. else
  61. # give up
  62. rootkey_age=0
  63. fi
  64. if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
  65. filestuff=$( cat $UB_RKEY_FILE )
  66. case "$filestuff" in
  67. *NOERROR*)
  68. # Header comment for drill and dig
  69. logger -t unbound -s "root.key updated after $rootkey_age days"
  70. cp -p $UB_RKEY_FILE /etc/unbound/root.key
  71. ;;
  72. *"state=2 [ VALID ]"*)
  73. # Comment inline to key for unbound-anchor
  74. logger -t unbound -s "root.key updated after $rootkey_age days"
  75. cp -p $UB_RKEY_FILE /etc/unbound/root.key
  76. ;;
  77. *)
  78. logger -t unbound -s "root.key still $rootkey_age days old"
  79. ;;
  80. esac
  81. fi
  82. }
  83. ##############################################################################
  84. resolv_teardown() {
  85. case $( cat /tmp/resolv.conf ) in
  86. *"generated by Unbound UCI"*)
  87. # our resolver file, reset to auto resolver file.
  88. rm -f /tmp/resolv.conf
  89. ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  90. ;;
  91. esac
  92. }
  93. ##############################################################################
  94. unbound_stop() {
  95. resolv_teardown
  96. roothints_update
  97. rootkey_update
  98. }
  99. ##############################################################################