You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

106 lines
3.0 KiB

  1. #!/bin/sh
  2. ##############################################################################
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License version 2 as
  6. # published by the Free Software Foundation.
  7. #
  8. # This program is distributed in the hope that it will be useful,
  9. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. # GNU General Public License for more details.
  12. #
  13. # Copyright (C) 2016 Eric Luehrsen
  14. #
  15. ##############################################################################
  16. #
  17. # This component will copy root.key back to /etc/unbound/ periodically, but
  18. # avoid ROM flash abuse (UCI option).
  19. #
  20. ##############################################################################
  21. roothints_update() {
  22. # TODO: Might not be implemented. Unbound doesn't natively update hints.
  23. # Unbound philosophy is built in root hints are good for machine life.
  24. return 0
  25. }
  26. ##############################################################################
  27. rootkey_update() {
  28. local basekey_date rootkey_date rootkey_age filestuff
  29. local dnssec=$( uci_get unbound.@unbound[0].validator )
  30. local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
  31. local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
  32. if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
  33. # Feature disabled
  34. return 0
  35. elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
  36. # We don't have time yet
  37. return 0
  38. fi
  39. if [ -f /etc/unbound/root.key ] ; then
  40. basekey_date=$( date -r /etc/unbound/root.key +%s )
  41. else
  42. # No persistent storage key
  43. basekey_date=$( date -d 2000-01-01 +%s )
  44. fi
  45. if [ -f "$UNBOUND_KEYFILE" ] ; then
  46. # Unbound maintains it itself
  47. rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
  48. rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
  49. elif [ -x "$UNBOUND_ANCHOR" ] ; then
  50. # No tmpfs key - use unbound-anchor
  51. rootkey_date=$( date -I +%s )
  52. rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
  53. $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
  54. else
  55. # give up
  56. rootkey_age=0
  57. fi
  58. if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
  59. filestuff=$( cat $UNBOUND_KEYFILE )
  60. case "$filestuff" in
  61. *NOERROR*)
  62. # Header comment for drill and dig
  63. logger -t unbound -s "root.key updated after $rootkey_age days"
  64. cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
  65. ;;
  66. *"state=2 [ VALID ]"*)
  67. # Comment inline to key for unbound-anchor
  68. logger -t unbound -s "root.key updated after $rootkey_age days"
  69. cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
  70. ;;
  71. *)
  72. logger -t unbound -s "root.key still $rootkey_age days old"
  73. ;;
  74. esac
  75. fi
  76. }
  77. ##############################################################################
  78. rootzone_update() {
  79. roothints_update
  80. rootkey_update
  81. }
  82. ##############################################################################