- #!/bin/sh
- ##############################################################################
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License version 2 as
- # published by the Free Software Foundation.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # Copyright (C) 2016 Eric Luehrsen
- #
- ##############################################################################
- #
- # This component will copy root.key back to /etc/unbound/ periodically, but
- # avoid ROM flash abuse (UCI option).
- #
- ##############################################################################
-
- # while useful (sh)ellcheck is pedantic and noisy
- # shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155
-
- . /usr/lib/unbound/defaults.sh
-
- ##############################################################################
-
- roothints_update() {
- # TODO: Might not be implemented. Unbound doesn't natively update hints.
- # Unbound philosophy is built in root hints are good for machine life.
- return 0
- }
-
- ##############################################################################
-
- rootkey_update() {
- local basekey_date rootkey_date rootkey_age filestuff
- local dnssec=$( uci_get unbound.@unbound[0].validator )
- local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
- local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
-
- # fix empty
- [ -z "$dnssec" ] && dnssec=0
- [ -z "$dnssec_ntp" ] && dnssec_ntp=1
- [ -z "$dnssec_age" ] && dnssec_age=9
-
-
- if [ $dnssec_age -gt 90 ] || [ $dnssec -lt 1 ] ; then
- # Feature disabled
- return 0
-
- elif [ "$dnssec_ntp" -gt 0 ] && [ ! -f "$UB_TIME_FILE" ] ; then
- # We don't have time yet
- return 0
- fi
-
-
- if [ -f /etc/unbound/root.key ] ; then
- basekey_date=$( date -r /etc/unbound/root.key +%s )
-
- else
- # No persistent storage key
- basekey_date=$( date -d 2000-01-01 +%s )
- fi
-
-
- if [ -f "$UB_RKEY_FILE" ] ; then
- # Unbound maintains it itself
- rootkey_date=$( date -r $UB_RKEY_FILE +%s )
- rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
-
- elif [ -x "$UB_ANCHOR" ] ; then
- # No tmpfs key - use unbound-anchor
- rootkey_date=$( date -I +%s )
- rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
- $UB_ANCHOR -a $UB_RKEY_FILE
-
- else
- # give up
- rootkey_age=0
- fi
-
-
- if [ $rootkey_age -gt $dnssec_age ] ; then
- filestuff=$( cat $UB_RKEY_FILE )
-
-
- case "$filestuff" in
- *NOERROR*)
- # Header comment for drill and dig
- logger -t unbound -s "root.key updated after $rootkey_age days"
- cp -p $UB_RKEY_FILE /etc/unbound/root.key
- ;;
-
- *"state=2 [ VALID ]"*)
- # Comment inline to key for unbound-anchor
- logger -t unbound -s "root.key updated after $rootkey_age days"
- cp -p $UB_RKEY_FILE /etc/unbound/root.key
- ;;
-
- *)
- logger -t unbound -s "root.key still $rootkey_age days old"
- ;;
- esac
- fi
- }
-
- ##############################################################################
-
- resolv_teardown() {
- case $( cat $UB_RESOLV_CONF ) in
- *"generated by Unbound UCI"*)
- # our resolver file, reset to auto resolver file.
- rm -f $UB_RESOLV_CONF
- ln -s $UB_RESOLV_AUTO $UB_RESOLV_CONF
- ;;
- esac
- }
-
- ##############################################################################
-
- unbound_stop() {
- resolv_teardown
- roothints_update
- rootkey_update
- }
-
- ##############################################################################
-
|
