[librecmc/package-feed.git] / net / unbound / files / unbound.sh

#!/bin/sh
##############################################################################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Copyright (C) 2016 Eric Luehrsen
#
##############################################################################
#
# This builds the basic UCI components currently supported for Unbound. It is
# intentionally NOT comprehensive and bundles a lot of options. The UCI is to
# be a simpler presentation of the total Unbound conf set.
#
##############################################################################

UNBOUND_B_CONTROL=0
UNBOUND_B_SLAAC6_MAC=0
UNBOUND_B_DNSSEC=0
UNBOUND_B_DNS64=0
UNBOUND_B_GATE_NAME=0
UNBOUND_B_HIDE_BIND=1
UNBOUND_B_LOCL_BLCK=0
UNBOUND_B_LOCL_SERV=1
UNBOUND_B_MAN_CONF=0
UNBOUND_B_NTP_BOOT=1
UNBOUND_B_PRIV_BLCK=1
UNBOUND_B_QUERY_MIN=0
UNBOUND_B_QRY_MINST=0

UNBOUND_D_DOMAIN_TYPE=static
UNBOUND_D_DHCP_LINK=none
UNBOUND_D_LAN_FQDN=0
UNBOUND_D_PROTOCOL=mixed
UNBOUND_D_RESOURCE=small
UNBOUND_D_RECURSION=passive
UNBOUND_D_WAN_FQDN=0

UNBOUND_IP_DNS64="64:ff9b::/96"

UNBOUND_N_EDNS_SIZE=1280
UNBOUND_N_FWD_PORTS=""
UNBOUND_N_RX_PORT=53
UNBOUND_N_ROOT_AGE=9

UNBOUND_TTL_MIN=120

UNBOUND_TXT_DOMAIN=lan
UNBOUND_TXT_FWD_ZONE=""
UNBOUND_TXT_HOSTNAME=thisrouter

##############################################################################

UNBOUND_LIBDIR=/usr/lib/unbound
UNBOUND_VARDIR=/var/lib/unbound

UNBOUND_PIDFILE=/var/run/unbound.pid

UNBOUND_SRV_CONF=$UNBOUND_VARDIR/unbound_srv.conf
UNBOUND_EXT_CONF=$UNBOUND_VARDIR/unbound_ext.conf
UNBOUND_DHCP_CONF=$UNBOUND_VARDIR/unbound_dhcp.conf
UNBOUND_CONFFILE=$UNBOUND_VARDIR/unbound.conf

UNBOUND_KEYFILE=$UNBOUND_VARDIR/root.key
UNBOUND_HINTFILE=$UNBOUND_VARDIR/root.hints
UNBOUND_TIMEFILE=$UNBOUND_VARDIR/unbound.time

##############################################################################

UNBOUND_ANCHOR=/usr/sbin/unbound-anchor
UNBOUND_CONTROL=/usr/sbin/unbound-control
UNBOUND_CONTROL_CFG="$UNBOUND_CONTROL -c $UNBOUND_CONFFILE"

##############################################################################

. /lib/functions.sh
. /lib/functions/network.sh

. $UNBOUND_LIBDIR/dnsmasq.sh
. $UNBOUND_LIBDIR/iptools.sh
. $UNBOUND_LIBDIR/rootzone.sh

##############################################################################

copy_dash_update() {
  # TODO: remove this function and use builtins when this issues is resovled.
  # Due to OpenWrt/LEDE divergence "cp -u" isn't yet universally available.
  local filetime keeptime


  if [ -f $UNBOUND_KEYFILE.keep ] ; then
    # root.key.keep is reused if newest
    filetime=$( date -r $UNBOUND_KEYFILE +%s )
    keeptime=$( date -r $UNBOUND_KEYFILE.keep +%s )


    if [ $keeptime -gt $filetime ] ; then
      cp $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
    fi


    rm -f $UNBOUND_KEYFILE.keep
  fi
}

##############################################################################

create_interface_dns() {
  local cfg="$1"
  local ipcommand logint ignore ifname ifdashname
  local name names address addresses
  local ulaprefix if_fqdn host_fqdn mode mode_ptr

  # Create local-data: references for this hosts interfaces (router).
  config_get logint "$cfg" interface
  config_get_bool ignore "$cfg" ignore 0
  network_get_device ifname "$cfg"

  ifdashname="${ifname//./-}"
  ipcommand="ip -o address show $ifname"
  addresses="$($ipcommand | awk '/inet/{sub(/\/.*/,"",$4); print $4}')"
  ulaprefix="$(uci_get network @globals[0] ula_prefix)"
  host_fqdn="$UNBOUND_TXT_HOSTNAME.$UNBOUND_TXT_DOMAIN"
  if_fqdn="$ifdashname.$host_fqdn"


  if [ -z "${ulaprefix%%:/*}" ] ; then
    # Nonsense so this option isn't globbed below
    ulaprefix="fdno:such:addr::/48"
  fi


  if [ "$ignore" -gt 0 ] ; then
    mode="$UNBOUND_D_WAN_FQDN"
  else
    mode="$UNBOUND_D_LAN_FQDN"
  fi


  case "$mode" in
  3)
    mode_ptr="$host_fqdn"
    names="$host_fqdn  $UNBOUND_TXT_HOSTNAME"
    ;;

  4)
    if [ -z "$ifdashname" ] ; then
      # race conditions at init can rarely cause a blank device return
      # the record format is invalid and Unbound won't load the conf file
      mode_ptr="$host_fqdn"
      names="$host_fqdn  $UNBOUND_TXT_HOSTNAME"
    else
      mode_ptr="$if_fqdn"
      names="$if_fqdn  $host_fqdn  $UNBOUND_TXT_HOSTNAME"
    fi
    ;;

  *)
    mode_ptr="$UNBOUND_TXT_HOSTNAME"
    names="$UNBOUND_TXT_HOSTNAME"
    ;;
  esac


  if [ "$mode" -gt 1 ] ; then
    {
      for address in $addresses ; do
        case $address in
        fe80:*|169.254.*)
          echo "  # note link address $address"
          ;;

        [1-9a-f]*:*[0-9a-f])
          # GA and ULA IP6 for HOST IN AAA records (ip command is robust)
          for name in $names ; do
            echo "  local-data: \"$name. 120 IN AAAA $address\""
          done
          echo "  local-data-ptr: \"$address 120 $mode_ptr\""
          ;;

        [1-9]*.*[0-9])
          # Old fashioned HOST IN A records
          for name in $names ; do
            echo "  local-data: \"$name. 120 IN A $address\""
          done
          echo "  local-data-ptr: \"$address 120 $mode_ptr\""
          ;;
        esac
      done
      echo
    } >> $UNBOUND_CONFFILE

  elif [ "$mode" -gt 0 ] ; then
    {
      for address in $addresses ; do
        case $address in
        fe80:*|169.254.*)
          echo "  # note link address $address"
          ;;

        "${ulaprefix%%:/*}"*)
          # Only this networks ULA and only hostname
          echo "  local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN AAAA $address\""
          echo "  local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
          ;;

        [1-9]*.*[0-9])
          echo "  local-data: \"$UNBOUND_TXT_HOSTNAME. 120 IN A $address\""
          echo "  local-data-ptr: \"$address 120 $UNBOUND_TXT_HOSTNAME\""
          ;;
        esac
      done
      echo
    } >> $UNBOUND_CONFFILE
  fi
}

##############################################################################

create_access_control() {
  local cfg="$1"
  local subnets subnets4 subnets6
  local validip4 validip6

  network_get_subnets  subnets4 "$cfg"
  network_get_subnets6 subnets6 "$cfg"
  subnets="$subnets4 $subnets6"


  if [ -n "$subnets" ] ; then
    for subnet in $subnets ; do
      validip4=$( valid_subnet4 $subnet )
      validip6=$( valid_subnet6 $subnet )


      if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
        # For each "network" UCI add "access-control:" white list for queries
        echo "  access-control: $subnet allow" >> $UNBOUND_CONFFILE
      fi
    done
  fi
}

##############################################################################

create_domain_insecure() {
  echo "  domain-insecure: \"$1\"" >> $UNBOUND_CONFFILE
}

##############################################################################

unbound_mkdir() {
  local resolvsym=0
  local dhcp_origin=$( uci get dhcp.@odhcpd[0].leasefile )
  local dhcp_dir=$( dirname "$dhcp_origin" )
  local filestuff


  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
    resolvsym=1
  else
    /etc/init.d/dnsmasq enabled || resolvsym=1
  fi


  if [ "$resolvsym" -gt 0 ] ; then
    rm -f /tmp/resolv.conf


    {
      # Set resolver file to local but not if /etc/init.d/dnsmasq will do it.
      echo "nameserver 127.0.0.1"
      echo "nameserver ::1"
      echo "search $UNBOUND_TXT_DOMAIN"
    } > /tmp/resolv.conf
  fi


  if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" -a ! -d "$dhcp_dir" ] ; then
    # make sure odhcpd has a directory to write (not done itself, yet)
    mkdir -p "$dhcp_dir"
  fi


  if [ -f $UNBOUND_KEYFILE ] ; then
    filestuff=$( cat $UNBOUND_KEYFILE )


    case "$filestuff" in
      *"state=2 [  VALID  ]"*)
        # Lets not lose RFC 5011 tracking if we don't have to
        cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
        ;;
    esac
  fi


  # Blind copy /etc/ to /var/lib/
  mkdir -p $UNBOUND_VARDIR
  rm -f $UNBOUND_VARDIR/dhcp_*
  touch $UNBOUND_CONFFILE
  touch $UNBOUND_SRV_CONF
  touch $UNBOUND_EXT_CONF
  cp -p /etc/unbound/* $UNBOUND_VARDIR/


  if [ ! -f $UNBOUND_HINTFILE ] ; then
    if [ -f /usr/share/dns/root.hints ] ; then
      # Debian-like package dns-root-data
      cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE

    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "iterator will use built-in root hints"
    fi
  fi


  if [ ! -f $UNBOUND_KEYFILE ] ; then
    if [ -f /usr/share/dns/root.key ] ; then
      # Debian-like package dns-root-data
      cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE

    elif [ -x $UNBOUND_ANCHOR ] ; then
      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE

    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "validator will use built-in trust anchor"
    fi
  fi


  copy_dash_update


  # Ensure access and prepare to jail
  chown -R unbound:unbound $UNBOUND_VARDIR
  chmod 775 $UNBOUND_VARDIR
  chmod 664 $UNBOUND_VARDIR/*
}

##############################################################################

unbound_control() {
  if [ "$UNBOUND_B_CONTROL" -gt 0 ] ; then
    {
      # Enable remote control tool, but only at local host for security
      # You can hand write fancier encrypted access with /etc/..._ext.conf
      echo "remote-control:"
      echo "  control-enable: yes"
      echo "  control-use-cert: no"
      echo "  control-interface: 127.0.0.1"
      echo "  control-interface: ::1"
      echo
    } >> $UNBOUND_CONFFILE
  fi


  {
    # Amend your own extended clauses here like forward zones or disable
    # above (local, no encryption) and amend your own remote encrypted control
    echo
    echo "include: $UNBOUND_EXT_CONF" >> $UNBOUND_CONFFILE
    echo
  } >> $UNBOUND_CONFFILE
}

##############################################################################

unbound_conf() {
  local cfg="$1"
  local rt_mem rt_conn modulestring


  {
    # Make fresh conf file
    echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
    echo
  } > $UNBOUND_CONFFILE


  {
    # No threading
    echo "server:"
    echo "  username: unbound"
    echo "  num-threads: 1"
    echo "  msg-cache-slabs: 1"
    echo "  rrset-cache-slabs: 1"
    echo "  infra-cache-slabs: 1"
    echo "  key-cache-slabs: 1"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Logging
    echo "  verbosity: 1"
    echo "  statistics-interval: 0"
    echo "  statistics-cumulative: no"
    echo "  extended-statistics: no"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Interfaces (access contol "option local_service")
    echo "  interface: 0.0.0.0"
    echo "  interface: ::0"
    echo "  outgoing-interface: 0.0.0.0"
    echo "  outgoing-interface: ::0"
    echo
  } >> $UNBOUND_CONFFILE


  case "$UNBOUND_D_PROTOCOL" in
    ip4_only)
      {
        echo "  do-ip4: yes"
        echo "  do-ip6: no"
      } >> $UNBOUND_CONFFILE
      ;;

    ip6_only)
      {
        echo "  do-ip4: no"
        echo "  do-ip6: yes"
      } >> $UNBOUND_CONFFILE
      ;;

    ip6_prefer)
      {
        echo "  do-ip4: yes"
        echo "  do-ip6: yes"
        echo "  prefer-ip6: yes"
      } >> $UNBOUND_CONFFILE
      ;;

    *)
      {
        echo "  do-ip4: yes"
        echo "  do-ip6: yes"
      } >> $UNBOUND_CONFFILE
      ;;
  esac


  {
    # protocol level tuning
    echo "  edns-buffer-size: $UNBOUND_N_EDNS_SIZE"
    echo "  msg-buffer-size: 8192"
    echo "  port: $UNBOUND_N_RX_PORT"
    echo "  outgoing-port-permit: 10240-65535"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Other harding and options for an embedded router
    echo "  harden-short-bufsize: yes"
    echo "  harden-large-queries: yes"
    echo "  harden-glue: yes"
    echo "  harden-below-nxdomain: no"
    echo "  harden-referral-path: no"
    echo "  use-caps-for-id: no"
    echo
  } >> $UNBOUND_CONFFILE


  {
    # Default Files
    echo "  use-syslog: yes"
    echo "  chroot: \"$UNBOUND_VARDIR\""
    echo "  directory: \"$UNBOUND_VARDIR\""
    echo "  pidfile: \"$UNBOUND_PIDFILE\""
  } >> $UNBOUND_CONFFILE


  if [ -f "$UNBOUND_HINTFILE" ] ; then
    # Optional hints if found
    echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
  fi


  if [ "$UNBOUND_B_DNSSEC" -gt 0 -a -f "$UNBOUND_KEYFILE" ] ; then
    {
      echo "  auto-trust-anchor-file: \"$UNBOUND_KEYFILE\""
      echo
    } >> $UNBOUND_CONFFILE

  else
    echo >> $UNBOUND_CONFFILE
  fi


  case "$UNBOUND_D_RESOURCE" in
    # Tiny - Unbound's recommended cheap hardware config
    tiny)   rt_mem=1  ; rt_conn=1 ;;
    # Small - Half RRCACHE and open ports
    small)  rt_mem=8  ; rt_conn=5 ;;
    # Medium - Nearly default but with some added balancintg
    medium) rt_mem=16 ; rt_conn=10 ;;
    # Large - Double medium
    large)  rt_mem=32 ; rt_conn=10 ;;
    # Whatever unbound does
    *) rt_mem=0 ; rt_conn=0 ;;
  esac


  if [ "$rt_mem" -gt 0 ] ; then
    {
      # Set memory sizing parameters
      echo "  outgoing-range: $(($rt_conn*64))"
      echo "  num-queries-per-thread: $(($rt_conn*32))"
      echo "  outgoing-num-tcp: $(($rt_conn))"
      echo "  incoming-num-tcp: $(($rt_conn))"
      echo "  rrset-cache-size: $(($rt_mem*256))k"
      echo "  msg-cache-size: $(($rt_mem*128))k"
      echo "  key-cache-size: $(($rt_mem*128))k"
      echo "  neg-cache-size: $(($rt_mem*64))k"
      echo "  infra-cache-numhosts: $(($rt_mem*256))"
      echo
    } >> $UNBOUND_CONFFILE

  elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
    logger -t unbound -s "default memory resource consumption"
  fi

  # Assembly of module-config: options is tricky; order matters
  modulestring="iterator"


  if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
    if [ ! -f "$UNBOUND_TIMEFILE" -a "$UNBOUND_B_NTP_BOOT" -gt 0 ] ; then
      # DNSSEC chicken and egg with getting NTP time
      echo "  val-override-date: -1" >> $UNBOUND_CONFFILE
    fi


    {
      echo "  harden-dnssec-stripped: yes"
      echo "  val-clean-additional: yes"
      echo "  ignore-cd-flag: yes"
    } >> $UNBOUND_CONFFILE


    modulestring="validator $modulestring"
  fi


  if [ "$UNBOUND_B_DNS64" -gt 0 ] ; then
    echo "  dns64-prefix: $UNBOUND_IP_DNS64" >> $UNBOUND_CONFFILE

    modulestring="dns64 $modulestring"
  fi


  {
    # Print final module string
    echo "  module-config: \"$modulestring\""
    echo
  }  >> $UNBOUND_CONFFILE


  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
    {
      # Some query privacy but "strict" will break some name servers
      echo "  qname-minimisation: yes"
      echo "  qname-minimisation-strict: yes"
    } >> $UNBOUND_CONFFILE

  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
    # Minor improvement on query privacy
    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE

  else
    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
  fi


  case "$UNBOUND_D_RECURSION" in
    passive)
      {
        echo "  prefetch: no"
        echo "  prefetch-key: no"
        echo "  target-fetch-policy: \"0 0 0 0 0\""
        echo
      } >> $UNBOUND_CONFFILE
      ;;

    aggressive)
      {
        echo "  prefetch: yes"
        echo "  prefetch-key: yes"
        echo "  target-fetch-policy: \"3 2 1 0 0\""
        echo
      } >> $UNBOUND_CONFFILE
      ;;

    *)
      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
        logger -t unbound -s "default recursion configuration"
      fi
      ;;
  esac


  {
    # Reload records more than 10 hours old
    # DNSSEC 5 minute bogus cool down before retry
    # Adaptive infrastructure info kept for 15 minutes
    echo "  cache-min-ttl: $UNBOUND_TTL_MIN"
    echo "  cache-max-ttl: 36000"
    echo "  val-bogus-ttl: 300"
    echo "  infra-host-ttl: 900"
    echo
  } >> $UNBOUND_CONFFILE


  if [ "$UNBOUND_B_HIDE_BIND" -gt 0 ] ; then
    {
      # Block server id and version DNS TXT records
      echo "  hide-identity: yes"
      echo "  hide-version: yes"
      echo
    } >> $UNBOUND_CONFFILE
  fi


  if [ "$UNBOUND_B_PRIV_BLCK" -gt 0 ] ; then
    {
      # Remove _upstream_ or global reponses with private addresses.
      # Unbounds own "local zone" and "forward zone" may still use these.
      # RFC1918, RFC3927, RFC4291, RFC6598, RFC6890
      echo "  private-address: 10.0.0.0/8"
      echo "  private-address: 100.64.0.0/10"
      echo "  private-address: 169.254.0.0/16"
      echo "  private-address: 172.16.0.0/12"
      echo "  private-address: 192.168.0.0/16"
      echo "  private-address: fc00::/8"
      echo "  private-address: fd00::/8"
      echo "  private-address: fe80::/10"
    } >> $UNBOUND_CONFFILE
  fi


  if [ "$UNBOUND_B_LOCL_BLCK" -gt 0 ] ; then
    {
      # Remove DNS reponses from upstream with loopback IP
      # Black hole DNS method for ad blocking, so consider...
      echo "  private-address: 127.0.0.0/8"
      echo "  private-address: ::1/128"
      echo
    } >> $UNBOUND_CONFFILE

  else
    echo >> $UNBOUND_CONFFILE
  fi


  # Except and accept domains as insecure (DNSSEC); work around broken domains
  config_list_foreach "$cfg" "domain_insecure" create_domain_insecure
  echo >> $UNBOUND_CONFFILE
}

##############################################################################

unbound_access() {
  # TODO: Unbound 1.6.0 added "tags" and "views", so we can add tags to
  # each access-control IP block, and then divert access.
  # -- "guest" WIFI will not be allowed to see local zone data
  # -- "child" LAN can black whole a list of domains to http~deadpixel


  if [ "$UNBOUND_B_LOCL_SERV" -gt 0 ] ; then
    # Only respond to queries from which this device has an interface.
    # Prevent DNS amplification attacks by not responding to the universe.
    config_load network
    config_foreach create_access_control interface


    {
      echo "  access-control: 127.0.0.0/8 allow"
      echo "  access-control: ::1/128 allow"
      echo "  access-control: fe80::/10 allow"
      echo
    } >> $UNBOUND_CONFFILE

  else
    {
      echo "  access-control: 0.0.0.0/0 allow"
      echo "  access-control: ::0/0 allow"
      echo
    } >> $UNBOUND_CONFFILE
  fi


  {
    # Amend your own "server:" stuff here
    echo "  include: $UNBOUND_SRV_CONF"
    echo
  } >> $UNBOUND_CONFFILE
}

##############################################################################

unbound_adblock() {
  # TODO: Unbound 1.6.0 added "tags" and "views"; lets work with adblock team
  local adb_enabled adb_file

  if [ ! -x /usr/bin/adblock.sh -o ! -x /etc/init.d/adblock ] ; then
    adb_enabled=0
  else
    /etc/init.d/adblock enabled && adb_enabled=1 || adb_enabled=0
  fi


  if [ "$adb_enabled" -gt 0 ] ; then
    {
      # Pull in your selected openwrt/pacakges/net/adblock generated lists
      for adb_file in $UNBOUND_VARDIR/adb_list.* ; do
        echo "  include: $adb_file"
      done
      echo
    } >> $UNBOUND_CONFFILE
  fi
}

##############################################################################

unbound_hostname() {
  if [ -n "$UNBOUND_TXT_DOMAIN" ] ; then
    {
      # TODO: Unbound 1.6.0 added "tags" and "views" and we could make
      # domains by interface to prevent DNS from "guest" to "home"
      echo "  local-zone: $UNBOUND_TXT_DOMAIN. $UNBOUND_D_DOMAIN_TYPE"
      echo "  domain-insecure: $UNBOUND_TXT_DOMAIN"
      echo "  private-domain: $UNBOUND_TXT_DOMAIN"
      echo
      echo "  local-zone: $UNBOUND_TXT_HOSTNAME. $UNBOUND_D_DOMAIN_TYPE"
      echo "  domain-insecure: $UNBOUND_TXT_HOSTNAME"
      echo "  private-domain: $UNBOUND_TXT_HOSTNAME"
      echo
    } >> $UNBOUND_CONFFILE


    case "$UNBOUND_D_DOMAIN_TYPE" in
    deny|inform_deny|refuse|static)
      {
        # avoid upstream involvement in RFC6762 like responses (link only)
        echo "  local-zone: local. $UNBOUND_D_DOMAIN_TYPE"
        echo "  domain-insecure: local"
        echo "  private-domain: local"
        echo
      } >> $UNBOUND_CONFFILE
      ;;
    esac


    if [ "$UNBOUND_D_LAN_FQDN" -gt 0 -o "$UNBOUND_D_WAN_FQDN" -gt 0 ] ; then
      config_load dhcp
      config_foreach create_interface_dns dhcp
    fi


    if [ -f "$UNBOUND_DHCP_CONF" ] ; then
      {
        # Seed DHCP records because dhcp scripts trigger externally
        # Incremental Unbound restarts may drop unbound-control add records
        echo "  include: $UNBOUND_DHCP_CONF"
        echo
      } >> $UNBOUND_CONFFILE
    fi
  fi
}

##############################################################################

unbound_uci() {
  local cfg="$1"
  local dnsmasqpath hostnm

  hostnm="$(uci_get system.@system[0].hostname | awk '{print tolower($0)}')"
  UNBOUND_TXT_HOSTNAME=${hostnm:-thisrouter}

  config_get_bool UNBOUND_B_SLAAC6_MAC "$cfg" dhcp4_slaac6 0
  config_get_bool UNBOUND_B_DNS64      "$cfg" dns64 0
  config_get_bool UNBOUND_B_HIDE_BIND  "$cfg" hide_binddata 1
  config_get_bool UNBOUND_B_LOCL_SERV  "$cfg" localservice 1
  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
  config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
  config_get_bool UNBOUND_B_PRIV_BLCK  "$cfg" rebind_protection 1
  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
  config_get_bool UNBOUND_B_CONTROL    "$cfg" unbound_control 0
  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1

  config_get UNBOUND_IP_DNS64    "$cfg" dns64_prefix "64:ff9b::/96"

  config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 9

  config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none
  config_get UNBOUND_D_LAN_FQDN    "$cfg" add_local_fqdn 0
  config_get UNBOUND_D_PROTOCOL    "$cfg" protocol mixed
  config_get UNBOUND_D_RECURSION   "$cfg" recursion passive
  config_get UNBOUND_D_RESOURCE    "$cfg" resource small
  config_get UNBOUND_D_WAN_FQDN    "$cfg" add_wan_fqdn 0

  config_get UNBOUND_TTL_MIN     "$cfg" ttl_min 120
  config_get UNBOUND_TXT_DOMAIN  "$cfg" domain lan


  if [ "$UNBOUND_D_DHCP_LINK" = "none" ] ; then
    config_get_bool UNBOUND_B_DNSMASQ   "$cfg" dnsmasq_link_dns 0


    if [ "$UNBOUND_B_DNSMASQ" -gt 0 ] ; then
      UNBOUND_D_DHCP_LINK=dnsmasq
      
      
      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
        logger -t unbound -s "Please use 'dhcp_link' selector instead"
      fi
    fi
  fi


  if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
    if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
      UNBOUND_D_DHCP_LINK=none
    else
      /etc/init.d/dnsmasq enabled || UNBOUND_D_DHCP_LINK=none
    fi


    if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "cannot forward to dnsmasq"
    fi
  fi


  if [ "$UNBOUND_D_DHCP_LINK" = "odhcpd" ] ; then
    if [ ! -x /usr/sbin/odhcpd -o ! -x /etc/init.d/odhcpd ] ; then
      UNBOUND_D_DHCP_LINK=none
    else
      /etc/init.d/odhcpd enabled || UNBOUND_D_DHCP_LINK=none
    fi


    if [ "$UNBOUND_D_DHCP_LINK" = "none" -a ! -f "$UNBOUND_TIMEFILE" ] ; then
      logger -t unbound -s "cannot receive records from odhcpd"
    fi
  fi


  if [ "$UNBOUND_N_EDNS_SIZE" -lt 512 \
    -o 4096 -lt "$UNBOUND_N_EDNS_SIZE" ] ; then
    # exceeds range, back to default
    UNBOUND_N_EDNS_SIZE=1280
  fi


  if [ "$UNBOUND_N_RX_PORT" -lt 1024 \
    -o 10240 -lt "$UNBOUND_N_RX_PORT" ] ; then
    # special port or in 5 digits, back to default
    UNBOUND_N_RX_PORT=53
  fi


  if [ "$UNBOUND_TTL_MIN" -gt 1800 ] ; then
    # that could have had awful side effects
    UNBOUND_TTL_MIN=300
  fi
}

##############################################################################

unbound_start() {
  config_load unbound
  config_foreach unbound_uci unbound
  unbound_mkdir


  if [ "$UNBOUND_B_MAN_CONF" -eq 0 ] ; then
    unbound_conf
    unbound_access
    unbound_adblock

    if [ "$UNBOUND_D_DHCP_LINK" = "dnsmasq" ] ; then
      dnsmasq_link
    else
      unbound_hostname
    fi

    unbound_control
  fi
}

##############################################################################

unbound_stop() {
  local resolvsym=0

  rootzone_update


  if [ ! -x /usr/sbin/dnsmasq -o ! -x /etc/init.d/dnsmasq ] ; then
    resolvsym=1
  else
    /etc/init.d/dnsmasq enabled || resolvsym=1
  fi


  if [ "$resolvsym" -gt 0 ] ; then
    # set resolver file to normal, but don't stomp on dnsmasq
    rm -f /tmp/resolv.conf
    ln -s /tmp/resolv.conf.auto /tmp/resolv.conf
  fi
}

##############################################################################