2 ##############################################################################
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License version 2 as
6 # published by the Free Software Foundation.
8 # This program is distributed in the hope that it will be useful,
9 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # GNU General Public License for more details.
13 # Copyright (C) 2016 Eric Luehrsen
15 ##############################################################################
17 # This component needs to be used within the unbound.sh as an include. It uses
18 # defaults and UCI scope variables defined there. It will copy root.key back
19 # to /etc/unbound/ periodically, but avoid ROM flash abuse (UCI option).
21 ##############################################################################
26 # This will likely be called outside of "start_service()" context
27 config_get_bool UNBOUND_B_DNSSEC "$cfg" validator 0
28 config_get_bool UNBOUND_B_NTP_BOOT "$cfg" validator_ntp 1
29 config_get UNBOUND_N_ROOT_AGE "$cfg" root_age 9
32 ##############################################################################
35 # TODO: Might not be implemented. Unbound doesn't natively update hints.
36 # Unbound philosophy is built in root hints are good for machine life.
40 ##############################################################################
43 local basekey_date rootkey_date rootkey_age filestuff
46 if [ "$UNBOUND_N_ROOT_AGE" -gt 90 -o "$UNBOUND_B_DNSSEC" -lt 1 ] ; then
50 elif [ "$UNBOUND_B_NTP_BOOT" -gt 0 -a ! -f "$UNBOUND_TIMEFILE" ] ; then
51 # We don't have time yet
56 if [ -f /etc/unbound/root.key ] ; then
57 basekey_date=$( date -r /etc/unbound/root.key +%s )
60 # No persistent storage key
61 basekey_date=$( date -d 2000-01-01 +%s )
65 if [ -f "$UNBOUND_KEYFILE" ] ; then
66 # Unbound maintains it itself
67 rootkey_date=$( date -r $UNBOUND_KEYFILE +%s )
68 rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
70 elif [ -x "$UNBOUND_ANCHOR" ] ; then
71 # No tmpfs key - use unbound-anchor
72 rootkey_date=$( date -I +%s )
73 rootkey_age=$(( (rootkey_date - basekey_date) / 86440 ))
74 $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE
82 if [ "$rootkey_age" -gt "$UNBOUND_N_ROOT_AGE" ] ; then
83 filestuff=$( cat $UNBOUND_KEYFILE )
88 # Header comment for drill and dig
89 logger -t unbound -s "root.key updated after $rootkey_age days"
90 cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
93 *"state=2 [ VALID ]"*)
94 # Comment inline to key for unbound-anchor
95 logger -t unbound -s "root.key updated after $rootkey_age days"
96 cp -p $UNBOUND_KEYFILE /etc/unbound/root.key
100 logger -t unbound -s "root.key still $rootkey_age days old"
106 ##############################################################################
109 # Partial UCI fetch for this functional group
111 config_foreach rootzone_uci unbound
113 # You need root.hints and root.key to boot strap recursion
118 ##############################################################################