unbound: Rewrite configuration and initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/rootfiles/packages/unbound

@@ -1,25 +1,17 @@
 etc/rc.d/init.d/unbound
 #etc/unbound
-#etc/unbound/blocklists
+etc/unbound/dhcp-leases.conf
 etc/unbound/forward.conf
 etc/unbound/icannbundle.pem
+etc/unbound/local.d
 etc/unbound/root.hints
 etc/unbound/root.key
 etc/unbound/unbound.conf
-etc/unbound/unbound_org.conf
-usr/bin/unbound-host
 #usr/include/unbound.h
 #usr/lib/libunbound.la
 #usr/lib/libunbound.so
 usr/lib/libunbound.so.2
 usr/lib/libunbound.so.2.4.1
-#usr/lib/python2.7/site-packages/_unbound.la
-usr/lib/python2.7/site-packages/_unbound.so
-usr/lib/python2.7/site-packages/daemonize.py
-usr/lib/python2.7/site-packages/dhcpd.py
-usr/lib/python2.7/site-packages/params.py
-usr/lib/python2.7/site-packages/unbound.py
-usr/lib/python2.7/site-packages/watcherdhcpd.py
 usr/sbin/unbound
 usr/sbin/unbound-anchor
 usr/sbin/unbound-checkconf

config/unbound/forward.conf

@@ -1,6 +0,0 @@
-forward-zone:
-  name: "."
-  forward-addr: 85.214.20.141
-  forward-addr: 194.150.168.168
-  forward-addr: 208.67.222.222
-  forward-addr: 208.67.220.220

config/unbound/unbound.conf

@@ -6,109 +6,82 @@
 #
 
 server:
-	# common server options
-	chroot: "/etc/unbound"
-	username: "unbound"
-	pidfile: "/var/run/unbound.pid"
+	# Common Server Options
+	chroot: ""
+	directory: "/etc/unbound"
+	username: "nobody"
 	num-threads: 2
 	port: 53
 	do-ip4: yes
 	do-ip6: no
 	do-udp: yes
 	do-tcp: yes
-	prefetch: yes
 	so-reuseport: yes
-	cache-min-ttl: 3600
-	cache-max-ttl: 86400
-	unwanted-reply-threshold: 10000
 	do-not-query-localhost: yes
 
-	# logging options
-	logfile: "log/unbound.log"
-	use-syslog: no
+	# Logging Options
 	verbosity: 1
-	log-queries: no
+	use-syslog: yes
 	log-time-ascii: yes
+	log-queries: no
 
 	# Unbound Statistics
-	statistics-interval: 3600
+	statistics-interval: 0
 	statistics-cumulative: yes
 	extended-statistics: yes
 
-	# privacy options
+	# Cache Sizes
+	msg-cache-size: 8m
+	rrset-cache-size: 8m
+	key-cache-size: 4m
+	prefetch: yes
+	prefetch-key: yes
+
+	# Randomise any cached responses
+	rrset-roundrobin: yes
+
+	# Privacy Options
 	hide-identity: yes
 	hide-version: yes
 	qname-minimisation: yes
 	minimal-responses: yes
 
-	# hardening options (some experimental)
-	harden-glue: yes
-	harden-large-queries: yes
-	harden-dnssec-stripped: yes
-	harden-short-bufsize: no
-	harden-below-nxdomain: no
-	harden-referral-path: no
-	harden-algo-downgrade: no
-	use-caps-for-id: yes
-
-	# listen on localhost interface
-	interface: 127.0.0.1
-
-	# file with ipfire interfaces
-	include:  "/etc/unbound/interfaces.conf"
-
-	# control which clients are allowed to make (recursive) queries
-	access-control: 0.0.0.0/0 refuse
-	access-control: 127.0.0.0/8 allow
-	access-control: ::0/0 refuse
-	access-control: ::1 allow
-	access-control: ::ffff:127.0.0.1 allow
-
-	# file with ipfire networks
-	include: "/etc/unbound/access.conf"
-
-	# dnssec main options
+	# DNSSEC
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+	val-permissive-mode: no
 	val-clean-additional: yes
 	val-log-level: 1
-	# file with ipfire dnssec configuration
-	include:  "/etc/unbound/dnssec.conf"
 
-	# DNS Rebinding
-	# For DNS Rebinding prevention
-	#
-	# All these addresses are either private or should not be routable in the global IPv4 or IPv6 internet.
-	# IPv4 Addresses
-	private-address: 0.0.0.0/8       # Broadcast address
-	private-address: 10.0.0.0/8
-	private-address: 127.0.0.0/8     # Loopback Localhost
-	private-address: 172.16.0.0/12
-	private-address: 192.168.0.0/16
-	private-address: 169.254.0.0/16
-	private-address: 198.18.0.0/15   # Used for testing inter-network communications
-	private-address: 198.51.100.0/24 # Documentation network TEST-NET-2
-	private-address: 203.0.113.0/24  # Documentation network TEST-NET-3
-	private-address: 233.252.0.0/24  # Documentation network MCAST-TEST-NET
-	# IPv6 Addresses
-	private-address: ::1/128         # Loopback Localhost
-	private-address: 2001:db8::/32   # Documentation network IPv6
-	private-address: fc00::/8        # Unique local address (ULA) part of "fc00::/7", not defined yet
-	private-address: fd00::/8        # Unique local address (ULA) part of "fc00::/7", "/48" prefix group
-	private-address: fe80::/10       # Link-local address (LLA)
+	# Hardening Options
+	harden-glue: yes
+	harden-short-bufsize: no
+	harden-large-queries: yes
+	harden-dnssec-stripped: yes
+	harden-below-nxdomain: yes
+	harden-referral-path: yes
+	harden-algo-downgrade: no
+	use-caps-for-id: no
 
-	# file with root servers 
+	# Deny access from everywhere
+	access-control: 0.0.0.0/0 refuse
+
+	# Listen on localhost
+	interface: 127.0.0.1
+	access-control: 127.0.0.0/8 allow
+
+	# Bootstrap root servers
 	root-hints: "/etc/unbound/root.hints"
 
-	# custom DNS zone files
-	include: "/etc/unbound/zones/*.conf"
+	# IPFire interface configuration
+	include: "/etc/unbound/interfaces.conf"
+	interface-automatic: no
 
-	# DHCP leases (if configured)
-	include: /etc/unbound/dhcpleases.conf
+	# Include DHCP leases
+	include: "/etc/unbound/dhcp-leases.conf"
 
-	# Blocklists
-	include: "/etc/unbound/blocklists/*.conf"
-# end server config
+	# Include any forward zones
+	include: "/etc/unbound/forward.conf"
 
-# enable remote control only on localhost
 remote-control:
 	control-enable: yes
 	control-use-cert: yes
@@ -117,7 +90,6 @@ remote-control:
 	server-cert-file: "/etc/unbound/unbound_server.pem"
 	control-key-file: "/etc/unbound/unbound_control.key"
 	control-cert-file: "/etc/unbound/unbound_control.pem"
-# end remote control config
 
-# custom DNS forward config
-include: "/etc/unbound/forward.conf"
+# Import any local configurations
+include: "/etc/unbound/local.d/*.conf"

lfs/unbound

@@ -80,11 +80,16 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 			--with-libevent
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
-	# add ipfire config
-	mkdir -pv /etc/unbound/blocklists
-	mv -v /etc/unbound/unbound.conf /etc/unbound/unbound_org.conf
-	install -v -m 644 $(DIR_SRC)/config/unbound/*.conf /etc/unbound/
-	install -v -m 644 $(DIR_SRC)/config/unbound/root.hints /etc/unbound/
+
+	# Install configuration
+	install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \
+		/etc/unbound/unbound.conf
+	touch /etc/unbound/{dhcp-leases,forward}.conf
+	-mkdir -pv /etc/unbound/local.d
+
+	# Install root hints
+	install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \
+		/etc/unbound/root.hints
 
 	# Install DHCP leases bridge
 	install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \

src/initscripts/init.d/unbound

@@ -10,18 +10,10 @@
 . /etc/sysconfig/rc
 . ${rc_functions}
 
-if [[ ! -d /run/var ]]; then mkdir /run/var; fi;
+USE_FORWARDERS=1
 
-CONTROL_INTERFACE_FILE=1
-CONTROL_ACCESS_FILE=1
-USE_CUSTOM_FORWARDS=0
-ENABLE_DNSSEC=1
-
-# Unbound daemon pid file
-PIDFILE=/var/run/unbound.pid
-
-# Watcher deamon pid file must be the same in unbound main init script
-WAPIDFILE=/var/run/unbound_dhcpd.pid
+# Load optional configuration
+[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
 
 function cidr() {
     local cidr nbits IFS;
@@ -47,132 +39,124 @@ function cidr() {
     echo "${cidr}/${nbits}"
 }
 
+read_name_servers() {
+	local i
+	for i in 1 2; do
+		echo "$(</var/ipfire/red/dns${i})"
+	done | xargs echo
+}
+
+config_header() {
+	echo "# This file is automatically generated and any changes"
+	echo "# will be overwritten. DO NOT EDIT!"
+	echo
+}
+
+update_forwarders() {
+	local forwarders="$(read_name_servers)"
+
+	if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
+		boot_mesg "Using Name Server(s): ${forwarders}"
+		boot_mesg_flush
+
+		unbound-control -q forward ${forwarders}
+
+	# If forwarders cannot be used we run in recursor mode
+	else
+		unbound-control -q forward off
+	fi
+}
+
+write_interfaces_conf() {
+	(
+		config_header
+
+		if [ -n "${GREEN_ADDRESS}" ]; then
+			echo "# GREEN"
+			echo "interface: ${GREEN_ADDRESS}"
+			echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
+		fi
+
+		if [ -n "${BLUE_ADDRESS}" ]; then
+			echo "# BLUE"
+			echo "interface: ${BLUE_ADDRESS}"
+			echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
+		fi
+	) > /etc/unbound/interfaces.conf
+}
+
+write_forward_conf() {
+	(
+		config_header
+
+		local enabled zone server remark
+		while IFS="," read -r enabled zone server remark; do
+			# Line must be enabled.
+			[ "${enabled}" = "on" ] || continue
+
+			echo "forward-zone:"
+			echo "	name: ${zone}"
+			echo "	forward-addr: ${server}"
+			echo
+		done < /var/ipfire/dnsforward/config
+	) > /etc/unbound/forward.conf
+}
+
+
 case "$1" in
 	start)
+		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+		eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
 
-	  if [[ -f ${PIDFILE} ]]; then
-	    log_warning_msg "Unbound daemon is running with Process ID $(cat ${PIDFILE})"
-	  else
-	    eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-	    #ARGS="$CUSTOM_ARGS"
-	    #[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN"
+		# Create control keys at first run
+		if [ ! -r "/etc/unbound/unbound_control.key" ]; then
+			unbound-control-setup -d /etc/unbound &>/dev/null
+		fi
 
-	    echo > /var/ipfire/red/resolv.conf # Clear it
-	    if [ -e "/var/ipfire/red/dns1" ]; then
-	       DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
-	      if [ ! -z ${DNS1} ]; then
-		echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
-		NAMESERVERS="${DNS1} "
-	      fi
-	    fi
-	    if [ -e "/var/ipfire/red/dns2" ]; then
-	      DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
-	      if [ ! -z ${DNS2} ]; then
-		echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
-		NAMESERVERS+="${DNS2} "
-	      fi
-	    fi
+		# Update configuration files
+		write_interfaces_conf
+		write_forward_conf
 
-	    # create unbound interfaces.conf
-	    if [ ${CONTROL_INTERFACE_FILE} = 1 ]; then
-		  echo -n > /etc/unbound/interfaces.conf # Clear it
-	      if [ ! -z ${GREEN_ADDRESS} ]; then
-		echo "interface: ${GREEN_ADDRESS}" >> /etc/unbound/interfaces.conf
-	      fi
-	      if [ ! -z ${BLUE_ADDRESS} ]; then
-		echo "interface: ${BLUE_ADDRESS}" >> /etc/unbound/interfaces.conf
-	      fi
-		if [ ! -z ${ORANGE_ADDRESS} ]; then
-		echo "interface: ${ORANGE_ADDRESS}" >> /etc/unbound/interfaces.conf
-	      fi
-	    fi
+		boot_mesg "Starting Unbound DNS Proxy..."
+		loadproc /usr/sbin/unbound || exit $?
 
-	    # create unbound access.conf
-	    if [ ${CONTROL_ACCESS_FILE} = 1 ]; then
-	      echo -n > /etc/unbound/access.conf # Clear it
-	      if [ ! -z ${GREEN_ADDRESS} ]; then
-		echo "access-control: $(cidr ${GREEN_ADDRESS} ${GREEN_NETMASK}) allow" >> /etc/unbound/access.conf
-	      fi
-	      if [ ! -z ${BLUE_ADDRESS} ]; then
-		echo "access-control: $(cidr ${BLUE_ADDRESS} ${BLUE_NETMASK}) allow" >> /etc/unbound/access.conf
-	      fi
-	      if [ ! -z ${ORANGE_ADDRESS} ]; then
-		echo "access-control: $(cidr ${ORANGE_ADDRESS} ${ORANGE_NETMASK}) allow" >> /etc/unbound/access.conf
-	      fi
-	    fi
+		# Update any known forwarding name servers
+		update_forwarders
 
-	    # create unbound dnssec.conf
-	    echo -n > /etc/unbound/dnssec.conf # Clear it
-	    if [ ${ENABLE_DNSSEC} = 1 ]; then
-	      echo "	# dessec enabled per default" >> /etc/unbound/dnssec.conf
-	      echo "	# no necessary config options in this file" >> /etc/unbound/dnssec.conf
-	    else
-	      echo "	# dnssec now disabled" >> /etc/unbound/dnssec.conf
-	      echo "	module-config: iterator" >> /etc/unbound/dnssec.conf
-	      echo "	val-permissive-mode: yes" >> /etc/unbound/dnssec.conf
-	    fi
-
-	    # create zone file for internal ipfire domain 
-	    unbound-zone
-
-	    boot_mesg "Starting Unbound DNS proxy..."
-	    unbound-anchor
-	    loadproc /usr/sbin/unbound
-
-	    # start dhcpd watcher daemon if DNS-Update (RFC2136) activated
-	    eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
-	    if [[ ${DNS_UPDATE_ENABLED} = on && ! -f ${WAPIDFILE} ]]; then
-	      /etc/rc.d/init.d/unbound-dhcpd start
-	    fi
-
-	    # use setup configured DNS servers 
-	    if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
-	       unbound-control forward_add +i . ${NAMESERVERS} &> /dev/null
-	    fi;
-
-	    FORWADRS=$(unbound-control list_forwards |sed 's|. IN forward ||g'|sed 's|+i ||g')
-	    if [ "${USE_CUSTOM_FORWARDS}" -eq 0 ]; then
-	      boot_mesg "Using DNS server(s): ${FORWADRS}"
-	    else
-	      boot_mesg "Using custom DNS server(s): ${FORWADRS}"
-	    fi
-	    if [ ${ENABLE_DNSSEC} = 1 ]; then
-	      boot_mesg "DNSSEC is enabled!"
-	    else
-	      boot_mesg "DNSSEC is disabled!"
-	    fi
-	  fi 
-	  ;;
+		# Start Unbound DHCP Lease Bridge unless RFC2136 is used
+		if [ "${DNS_UPDATE_ENABLED}" != on ]; then
+			boot_mesg "Starting Unbound DHCP Leases Bridge..."
+			loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
+		fi
+		;;
 
 	stop)
+		boot_mesg "Stopping Unbound DHCP Leases Bridge..."
+		killproc /usr/sbin/unbound-dhcp-leases-bridge
 
-	  if [[ -f ${PIDFILE} ]]; then
-	    # stop dhcpd watcher daemon if activted
-	    if [[ -f ${WAPIDFILE} ]]; then
-	      /etc/rc.d/init.d/unbound-dhcpd stop
-	    fi
-	    # stop Unbound daemon
-	    boot_mesg "Stopping Unbound DNS proxy..."
-	    killproc -p "/var/run/unbound.pid" /usr/sbin/unbound
-	  else
-	    log_warning_msg "Unbound daemon is not running..."
-	  fi
-	  ;;
+		boot_mesg "Stopping Unbound DNS Proxy..."
+		killproc /usr/sbin/unbound
+		;;
 
 	restart)
-	  $0 stop
-	  sleep 1
-	  $0 start
-	  ;;
+		$0 stop
+		sleep 1
+		$0 start
+		;;
 
 	status)
-	  statusproc /usr/sbin/unbound
-	  ;;
+		statusproc /usr/sbin/unbound
+		statusproc /usr/sbin/unbound-dhcp-leases-bridge
+		;;
+
+	update-forwarders)
+		update_forwarders
+		;;
 
 	*)
-	  echo "Usage: $0 {start|stop|restart|status}"
-	  exit 1
-	  ;;
+		echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
+		exit 1
+		;;
 esac
 
 # End $rc_base/init.d/unbound