| #!/bin/sh |
| ############################################################################## |
| # |
| # This program is free software; you can redistribute it and/or modify |
| # it under the terms of the GNU General Public License version 2 as |
| # published by the Free Software Foundation. |
| # |
| # This program is distributed in the hope that it will be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| # Copyright (C) 2016 Eric Luehrsen |
| # |
| ############################################################################## |
| # |
| # This component will copy root.key back to /etc/unbound/ periodically, but |
| # avoid ROM flash abuse (UCI option). |
| # |
| ############################################################################## |
| |
| # while useful (sh)ellcheck is pedantic and noisy |
| # shellcheck disable=1091,2002,2004,2034,2039,2086,2094,2140,2154,2155 |
| |
| . /usr/lib/unbound/defaults.sh |
| |
| ############################################################################## |
| |
| roothints_update() { |
| # TODO: Might not be implemented. Unbound doesn't natively update hints. |
| # Unbound philosophy is built in root hints are good for machine life. |
| return 0 |
| } |
| |
| ############################################################################## |
| |
| rootkey_update() { |
| local basekey_date rootkey_date rootkey_age filestuff |
| local dnssec=$( uci_get unbound.@unbound[0].validator ) |
| local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp ) |
| local dnssec_age=$( uci_get unbound.@unbound[0].root_age ) |
| |
| # fix empty |
| [ -z "$dnssec" ] && dnssec=0 |
| [ -z "$dnssec_ntp" ] && dnssec_ntp=1 |
| [ -z "$dnssec_age" ] && dnssec_age=9 |
| |
| |
| if [ $dnssec_age -gt 90 ] || [ $dnssec -lt 1 ] ; then |
| # Feature disabled |
| return 0 |
| |
| elif [ "$dnssec_ntp" -gt 0 ] && [ ! -f "$UB_TIME_FILE" ] ; then |
| # We don't have time yet |
| return 0 |
| fi |
| |
| |
| if [ -f /etc/unbound/root.key ] ; then |
| basekey_date=$( date -r /etc/unbound/root.key +%s ) |
| |
| else |
| # No persistent storage key |
| basekey_date=$( date -d 2000-01-01 +%s ) |
| fi |
| |
| |
| if [ -f "$UB_RKEY_FILE" ] ; then |
| # Unbound maintains it itself |
| rootkey_date=$( date -r $UB_RKEY_FILE +%s ) |
| rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) |
| |
| elif [ -x "$UB_ANCHOR" ] ; then |
| # No tmpfs key - use unbound-anchor |
| rootkey_date=$( date -I +%s ) |
| rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) |
| $UB_ANCHOR -a $UB_RKEY_FILE |
| |
| else |
| # give up |
| rootkey_age=0 |
| fi |
| |
| |
| if [ $rootkey_age -gt $dnssec_age ] ; then |
| filestuff=$( cat $UB_RKEY_FILE ) |
| |
| |
| case "$filestuff" in |
| *NOERROR*) |
| # Header comment for drill and dig |
| logger -t unbound -s "root.key updated after $rootkey_age days" |
| cp -p $UB_RKEY_FILE /etc/unbound/root.key |
| ;; |
| |
| *"state=2 [ VALID ]"*) |
| # Comment inline to key for unbound-anchor |
| logger -t unbound -s "root.key updated after $rootkey_age days" |
| cp -p $UB_RKEY_FILE /etc/unbound/root.key |
| ;; |
| |
| *) |
| logger -t unbound -s "root.key still $rootkey_age days old" |
| ;; |
| esac |
| fi |
| } |
| |
| ############################################################################## |
| |
| resolv_teardown() { |
| case $( cat $UB_RESOLV_CONF ) in |
| *"generated by Unbound UCI"*) |
| # our resolver file, reset to auto resolver file. |
| rm -f $UB_RESOLV_CONF |
| ln -s $UB_RESOLV_AUTO $UB_RESOLV_CONF |
| ;; |
| esac |
| } |
| |
| ############################################################################## |
| |
| unbound_stop() { |
| resolv_teardown |
| roothints_update |
| rootkey_update |
| } |
| |
| ############################################################################## |
| |