From a4f23e52bf0529e2eed335cc83470641f4e3f47f Mon Sep 17 00:00:00 2001 From: Eric Luehrsen Date: Thu, 2 Mar 2017 00:28:35 -0500 Subject: [PATCH] unbound: improve maintenance of trust anchor Unbound UCI tries to protect embedded flash from excess use. Unbound RFC5011 KSK tracking can rewrite root.key every few minutes to an hour. It also writes and destroys files in the same directory during the process. Recommended UCI delays for copying busy work in /var/ back to /etc/ may be too conservative. These are all changed from 28 to 9 days. The RFC5011 KSK results were also destroyed by an init.d restart, even if /var/ is mounted on persistent storage like USB drive. /var/lib/unbound/root.key is now preserved during this process, unless a newer key is installed in /etc/ manually or package update. Signed-off-by: Eric Luehrsen --- net/unbound/Makefile | 2 +- net/unbound/files/README.md | 4 ++-- net/unbound/files/rootzone.sh | 2 +- net/unbound/files/unbound.sh | 22 ++++++++++++++++++---- net/unbound/files/unbound.uci | 2 +- 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/net/unbound/Makefile b/net/unbound/Makefile index e531a4578..6546fa2a1 100644 --- a/net/unbound/Makefile +++ b/net/unbound/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=unbound PKG_VERSION:=1.6.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=BSD-3-Clause PKG_LICENSE_FILES:=LICENSE diff --git a/net/unbound/files/README.md b/net/unbound/files/README.md index 53f8a1412..4855688ac 100644 --- a/net/unbound/files/README.md +++ b/net/unbound/files/README.md @@ -117,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan config unbound option manual_conf '1' - option root_age '30' + option root_age '9' ### Hybrid Manual/UCI You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. @@ -230,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a defaults with a bit of balancing. Tiny is close to the published memory restricted configuration. Small 1/2 medium, and large 2x. - option root_age '30' + option root_age '9' Days. >90 Disables. Age limit for Unbound root data like root DNSSEC key. Unbound uses RFC 5011 to manage root key. This could harm flash ROM. This activity is mapped to "tmpfs," but every so diff --git a/net/unbound/files/rootzone.sh b/net/unbound/files/rootzone.sh index 143c0560f..d085fed4e 100644 --- a/net/unbound/files/rootzone.sh +++ b/net/unbound/files/rootzone.sh @@ -26,7 +26,7 @@ rootzone_uci() { # This will likely be called outside of "start_service()" context config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1 - config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 } ############################################################################## diff --git a/net/unbound/files/unbound.sh b/net/unbound/files/unbound.sh index 24964d0b0..ce250bd95 100644 --- a/net/unbound/files/unbound.sh +++ b/net/unbound/files/unbound.sh @@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96" UNBOUND_N_EDNS_SIZE=1280 UNBOUND_N_FWD_PORTS="" UNBOUND_N_RX_PORT=53 -UNBOUND_N_ROOT_AGE=28 +UNBOUND_N_ROOT_AGE=9 UNBOUND_TTL_MIN=120 @@ -258,6 +258,13 @@ unbound_mkdir() { fi + if [ -f $UNBOUND_KEYFILE ] ; then + # Lets not lose RFC 5011 tracking if we don't have to + cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep + fi + + + # Blind copy /etc/ to /var/lib/ mkdir -p $UNBOUND_VARDIR rm -f $UNBOUND_VARDIR/dhcp_* touch $UNBOUND_CONFFILE @@ -282,7 +289,7 @@ unbound_mkdir() { # Debian-like package dns-root-data cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE - elif [ -x "$UNBOUND_ANCHOR" ] ; then + elif [ -x $UNBOUND_ANCHOR ] ; then $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE else @@ -290,7 +297,14 @@ unbound_mkdir() { fi fi - + + if [ -f $UNBOUND_KEYFILE.keep ] ; then + # root.key.keep is reused if newest + cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE + rm -f $UNBOUND_KEYFILE.keep + fi + + # Ensure access and prepare to jail chown -R unbound:unbound $UNBOUND_VARDIR chmod 775 $UNBOUND_VARDIR @@ -755,7 +769,7 @@ unbound_uci() { config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280 config_get UNBOUND_N_RX_PORT "$cfg" listen_port 53 - config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 7 + config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9 config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static config_get UNBOUND_D_DHCP_LINK "$cfg" dhcp_link none diff --git a/net/unbound/files/unbound.uci b/net/unbound/files/unbound.uci index 7794e9765..9e58ac799 100644 --- a/net/unbound/files/unbound.uci +++ b/net/unbound/files/unbound.uci @@ -19,7 +19,7 @@ config unbound option rebind_protection '1' option recursion 'passive' option resource 'small' - option root_age '28' + option root_age '9' option ttl_min '120' option unbound_control '0' option validator '0'