2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # This component will copy root.key back to /etc/unbound/ periodically, but
18 # avoid ROM flash abuse (UCI option).
20 ##############################################################################
22 . /usr/lib/unbound/defaults.sh
24 ##############################################################################
27 # TODO: Might not be implemented. Unbound doesn't natively update hints.
28 # Unbound philosophy is built in root hints are good for machine life.
32 ##############################################################################
35 local basekey_date rootkey_date rootkey_age filestuff
36 local dnssec=$( uci_get unbound.@unbound[0].validator )
37 local dnssec_ntp=$( uci_get unbound.@unbound[0].validator_ntp )
38 local dnssec_age=$( uci_get unbound.@unbound[0].root_age )
41 [ -z "$dnssec" ] && dnssec=0
42 [ -z "$dnssec_ntp" ] && dnssec_ntp=1
43 [ -z "$dnssec_age" ] && dnssec_age=9
46 if [ "$dnssec_age" -gt 90 -o "$dnssec" -lt 1 ] ; then
50 elif [ "$dnssec_ntp" -gt 0 -a ! -f "$UB_TIME_FILE" ] ; then
51 # We don't have time yet
56 if [ -f /etc/unbound/root.key ] ; then
57 basekey_date=$( date -r /etc/unbound/root.key +%s )
60 # No persistent storage key
61 basekey_date=$( date -d 2000-01-01 +%s )
65 if [ -f "$UB_RKEY_FILE" ] ; then
66 # Unbound maintains it itself
67 rootkey_date=$( date -r $UB_RKEY_FILE +%s )
68 rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
70 elif [ -x "$UB_ANCHOR" ] ; then
71 # No tmpfs key - use unbound-anchor
72 rootkey_date=$( date -I +%s )
73 rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
74 $UB_ANCHOR -a $UB_RKEY_FILE
82 if [ "$rootkey_age" -gt "$dnssec_age" ] ; then
83 filestuff=$( cat $UB_RKEY_FILE )
88 # Header comment for drill and dig
89 logger -t unbound -s "root.key updated after $rootkey_age days"
90 cp -p $UB_RKEY_FILE /etc/unbound/root.key
93 *"state=2 [ VALID ]"*)
94 # Comment inline to key for unbound-anchor
95 logger -t unbound -s "root.key updated after $rootkey_age days"
96 cp -p $UB_RKEY_FILE /etc/unbound/root.key
100 logger -t unbound -s "root.key still $rootkey_age days old"
106 ##############################################################################
109 case $( cat /tmp/resolv.conf ) in
110 *"generated by Unbound UCI"*)
111 # our resolver file, reset to auto resolver file.
112 rm -f /tmp/resolv.conf
113 ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
118 ##############################################################################
126 ##############################################################################