Unbound: Add scripts to manage root.key in tmpfs

-Unbound RFC 5011 is busy and writes frequently -RFC 5011 creates working files in same directory -DNSSEC root.key managed in /var/lib/unbound -Protect against flash ROM wear out in /etc/unbound -Scripts will copy back every 7 days instead Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2016-10-20 00:19:51 -04:00 · 2016-10-20 00:19:51 -04:00 · cb56829c98
commit cb56829c98
parent b228d5e969
2 changed files with 232 additions and 0 deletions
--- a/net/unbound/files/rootzone.sh
+++ b/net/unbound/files/rootzone.sh
@ -0,0 +1,106 @@
+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# This component needs to be used within the unbound.sh as an include. It uses
+# defaults and UCI scope variables defined there. It will copy root.key back
+# to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
+#
+##############################################################################
+
+rootzone_uci() {
+  # TODO: Just structure to real UCI coming soon.
+  echo
+}
+
+##############################################################################
+
+roothints_update() {
+  # TODO: Maybe this will not be implemented.
+  echo
+}
+
+##############################################################################
+
+rootkey_update() {
+  local basekey_date rootkey_date rootkey_age filestuff
+
+  # TODO: Just structure to real UCI coming soon.
+  if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
+    # Feature disabled
+    return 0
+  fi
+   
+  
+  if [ -f /etc/unbound/root.key ] ; then
+    basekey_date=$( date -r /etc/unbound/root.key +%s )
+    
+  else
+    # No persistent storage key
+    basekey_date=$( date -d 2000-01-01 +%s )
+  fi
+  
+  
+  if [ -f "$UNBOUND_KEYFILE" ] ; then
+    # Unbound maintains it itself
+    rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
+    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
+    
+  elif [ -x "$UNBOUND_ANCHOR" ] ; then
+    # No tmpfs key - use unbound-anchor
+    rootkey_date=$( date -I +%s )
+    rootkey_age=$(( (rootkey_date - basekey_date) / 86440 )) 
+    $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
+    
+  else 
+    # give up
+    rootkey_age=0
+  fi
+
+
+  if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
+    filestuff=$( cat $UNBOUND_KEYFILE )
+    
+      
+    case "$filestuff" in
+      *NOERROR*)
+        # Header comment for drill and dig
+        logger -t unbound -s "root.key updated after $rootkey_age days"
+        cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
+        ;;
+        
+      *"state=2 [  VALID  ]"*)
+        # Comment inline to key for unbound-anchor
+        logger -t unbound -s "root.key updated after $rootkey_age days"
+        cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
+        ;;
+        
+      *) 
+        logger -t unbound -s "root.key still $rootkey_age days old" 
+        ;;
+    esac
+  fi
+}
+
+##############################################################################
+
+rootzone_update() {
+  rootzone_uci
+  roothints_update
+  rootkey_update
+}
+
+##############################################################################
+
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@ -0,0 +1,126 @@
+#!/bin/sh
+##############################################################################
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# Copyright (C) 2016 Eric Luehrsen
+#
+##############################################################################
+#
+# TODO: This file will build the UCI for Unbound. This iteration only puts
+# our default unbound configuration and root.key into /var/lib/unbound.
+#
+##############################################################################
+
+# TODO: Just default definitions versus real UCI coming soon.
+UNBOUND_B_MAN_CONF=1
+UNBOUND_B_DNSSEC=1
+UNBOUND_N_ROOT_AGE=7
+
+##############################################################################
+
+UNBOUND_ANCHOR=/usr/bin/unbound-anchor
+UNBOUND_CONTROL=/usr/bin/unbound-control
+
+UNBOUND_LIBDIR=/usr/lib/unbound
+
+UNBOUND_PIDFILE=/var/run/unbound.pid
+
+UNBOUND_VARDIR=/var/lib/unbound
+UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf
+UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
+UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
+UNBOUND_CHECKFILE=$UNBOUND_VARDIR/unbound.check
+
+##############################################################################
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+
+. $UNBOUND_LIBDIR/rootzone.sh
+
+##############################################################################
+
+unbound_mkdir() {
+  mkdir -p $UNBOUND_VARDIR
+  
+  
+  if [ -f /etc/unbound/root.hints ] ; then
+    # Your own local copy of root.hints
+    cp -p /etc/unbound/root.hints $UNBOUND_HINTFILE
+    
+  elif [ -f /usr/share/dns/root.hints ] ; then
+    # Debian-like package dns-root-data
+    cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE
+    
+  else
+    logger -t unbound -s "iterator will use built-in root hints"
+  fi
+  
+  
+  if [ -f /etc/unbound/root.key ] ; then
+    # Your own local copy of a root.key
+    cp -p /etc/unbound/root.key $UNBOUND_KEYFILE
+      
+  elif [ -f /usr/share/dns/root.key ] ; then
+    # Debian-like package dns-root-data
+    cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE
+      
+  elif [ -x "$UNBOUND_ANCHOR" ] ; then 
+    $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
+        
+  else
+    logger -t unbound -s "validator will use built-in trust anchor"
+  fi
+}
+
+##############################################################################
+
+unbound_conf() {
+  # TODO: Just structure to real UCI coming soon.
+  if [ "$UNBOUND_B_MAN_CONF" -gt 0 -a -f /etc/unbound/unbound.conf ] ; then
+    # You don't want UCI and use your own manual configuration
+    cp -p /etc/unbound/unbound.conf $UNBOUND_CONFFILE
+  fi
+}
+
+##############################################################################
+
+unbound_own() {
+  # Debug UCI
+  {
+    echo "# $UNBOUND_CHECKFILE generated by UCI $( date )"
+    echo
+    set | grep ^UNBOUND_
+  } > $UNBOUND_CHECKFILE
+    
+  
+  if [ ! -f "$UNBOUND_CONFFILE" ] ; then
+    # if somehow this happened
+    touch $UNBOUND_CONFFILE
+  fi
+  
+  
+  # Ensure Access
+  chown -R unbound:unbound $UNBOUND_VARDIR
+  chmod 775 $UNBOUND_VARDIR
+  chmod 664 $UNBOUND_VARDIR/*
+}
+
+##############################################################################
+
+unbound_prepare() {
+  unbound_mkdir
+  unbound_conf
+  unbound_own
+}
+
+##############################################################################
+