Merge pull request #4095 from EricLuehrsen/unbound_rfc5011

unbound: improve maintenance of trust anchor
2017-03-02 10:03:22 +02:00 · 2017-03-02 10:03:22 +02:00 · 230ea61043
commit 230ea61043
parent 2b6a84ff65 a4f23e52bf
5 changed files with 23 additions and 9 deletions
--- a/net/unbound/Makefile
+++ b/net/unbound/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.6.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
--- a/net/unbound/files/README.md
+++ b/net/unbound/files/README.md
@ -117,7 +117,7 @@ Keep the DNSKEY updated with your choice of flash activity. `root.key` maintenan

 	config unbound
 		option manual_conf '1'
-		option root_age '30'
+		option root_age '9'

 ### Hybrid Manual/UCI
 You like the UCI. Yet, you need to add some difficult to standardize options, or just are not ready to make a UCI request yet. The files `/etc/unbound/unbound_srv.conf` and `/etc/unbound/unbound_ext.conf` will be copied to Unbounds chroot directory and included during auto generation. 
@ -230,7 +230,7 @@ The former will be added to the end of the `server:` clause. The later will be a
 		defaults with a bit of balancing. Tiny is close to the published
 		memory restricted configuration. Small 1/2 medium, and large 2x.

-	option root_age '30'
+	option root_age '9'
 		Days. >90 Disables. Age limit for Unbound root data like root
 		DNSSEC key. Unbound uses RFC 5011 to manage root key. This could
 		harm flash ROM. This activity is mapped to "tmpfs," but every so
--- a/net/unbound/files/rootzone.sh
+++ b/net/unbound/files/rootzone.sh
@ -26,7 +26,7 @@ rootzone_uci() {
  # This will likely be called outside of "start_service()" context
  config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
-  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 30
+  config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
 }

 ##############################################################################
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96"
 UNBOUND_N_EDNS_SIZE=1280
 UNBOUND_N_FWD_PORTS=""
 UNBOUND_N_RX_PORT=53
-UNBOUND_N_ROOT_AGE=28
+UNBOUND_N_ROOT_AGE=9

 UNBOUND_TTL_MIN=120

@ -258,6 +258,13 @@ unbound_mkdir() {
  fi


+  if [ -f $UNBOUND_KEYFILE ] ; then
+    # Lets not lose RFC 5011 tracking if we don't have to
+    cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
+  fi
+
+
+  # Blind copy /etc/ to /var/lib/
  mkdir -p $UNBOUND_VARDIR
  rm -f $UNBOUND_VARDIR/dhcp_*
  touch $UNBOUND_CONFFILE
@ -282,7 +289,7 @@ unbound_mkdir() {
      # Debian-like package dns-root-data
      cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE

-    elif [ -x "$UNBOUND_ANCHOR" ] ; then
+    elif [ -x $UNBOUND_ANCHOR ] ; then
      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE

    else
@ -290,7 +297,14 @@ unbound_mkdir() {
    fi
  fi

-
+  
+  if [ -f $UNBOUND_KEYFILE.keep ] ; then
+    # root.key.keep is reused if newest
+    cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
+    rm -f $UNBOUND_KEYFILE.keep
+  fi
+  
+  
  # Ensure access and prepare to jail
  chown -R unbound:unbound $UNBOUND_VARDIR
  chmod 775 $UNBOUND_VARDIR
@ -755,7 +769,7 @@ unbound_uci() {

  config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
-  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 9

  config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none
--- a/net/unbound/files/unbound.uci
+++ b/net/unbound/files/unbound.uci
@ -19,7 +19,7 @@ config unbound
 	option rebind_protection '1'
 	option recursion 'passive'
 	option resource 'small'
-	option root_age '28'
+	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'
 	option validator '0'