Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authoritative zone handling #117

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ ENV UNBOUND_GIT_REVISION a8739bad76d4d179290627e989c7ef236345bda6

WORKDIR /tmp

# --- FOR TESTING ---
# RUN apt-get update && apt-get install -y iproute2 less vim

Comment on lines +21 to +23
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover from local testing?

RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
git clone --depth=1000 "$UNBOUND_GIT_URL" && \
cd unbound && \
Expand Down
55 changes: 47 additions & 8 deletions entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -14,28 +14,65 @@ CONF_DIR="/opt/encrypted-dns/etc"
CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
SCRIPTNAME=$(basename $0)

init() {
if [ "$(is_initialized)" = yes ]; then
start
exit $?
fi

# TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftover?

TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
eval set -- "$TEMP"

anondns_enabled="false"
anondns_blacklisted_ips=""

metrics_address="127.0.0.1:9100"

while getopts "h?N:E:T:AM:" opt; do
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm quite scared by changing getopts to getopt. If the behavior is not exactly the same as before, it will break severs from everybody running watchtower to automatically keep their containers up to date.

case "$opt" in
h | \?) usage ;;
N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
A) anondns_enabled="true" ;;
M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
# extract options and their arguments into variables.
while true ; do
case "$1" in
-h | -\?)
shift
usage
;;
-N)
provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
shift 2
;;
-E)
ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
shift 2
;;
-T)
tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
shift 2
;;
-A)
anondns_enabled="true"
shift
;;
-M)
metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
shift 2
;;
# --unbound-on-all-interfaces)
# touch /opt/unbound/run-options/use-all-interfaces
# shift
# ;;
--)
shift
break
;;
*)
echo "Internal error!"
exit 1
;;
esac
done

[ -z "$provider_name" ] && usage
case "$provider_name" in
.*) usage ;;
Expand Down Expand Up @@ -264,3 +301,5 @@ provider-info) provider_info ;;
shell) shell ;;
*) usage ;;
esac

# vim: sw=4:smarttab
41 changes: 38 additions & 3 deletions unbound.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,37 @@

KEYS_DIR="/opt/encrypted-dns/etc/keys"
ZONES_DIR="/opt/unbound/etc/unbound/zones"
AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"

OIFS="${IFS}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is IFS saved since it's not changed anywhere?

IFS=""

INTERFACES="\
interface: 127.0.0.1@553
interface: ::1@553"
ACCESS_CONTROL="\
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow"
AUTHZONE_INCLUDE=""

test -d $AUTHZONES_DIR && {
chown -R _unbound:_unbound $AUTHZONES_DIR
INTERFACES="\
interface: 0.0.0.0@553
interface: ::@553"
ACCESS_CONTROL="\
access-control: 127.0.0.1/32 allow
access-control: ::1/128 allow
access-control: 0.0.0.0/0 refuse_non_local
access-control: ::0/0 refuse_non_local"
AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
}

# Replace multiline replacements so sed can deal with them later
INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')

IFS="${OIFS}"

reserved=134217728
availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
Expand All @@ -27,11 +58,15 @@ sed \
-e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
-e "s/@THREADS@/${threads}/" \
-e "s#@ZONES_DIR@#${ZONES_DIR}#" \
-e "s#@INTERFACES@#${INTERFACES}#" \
-e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
-e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
>/opt/unbound/etc/unbound/unbound.conf <<EOT
server:
verbosity: 1
num-threads: @THREADS@
interface: 127.0.0.1@553
@INTERFACES@
@ACCESS_CONTROL@
so-reuseport: yes
edns-buffer-size: 1232
delay-close: 10000
Expand Down Expand Up @@ -66,8 +101,6 @@ server:
serve-expired: yes
serve-expired-ttl: 86400
serve-expired-ttl-reset: yes
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
aggressive-nsec: yes
val-bogus-ttl: 600
Expand Down Expand Up @@ -138,6 +171,8 @@ auth-zone:
for-downstream: no
for-upstream: yes
zonefile: "var/root.zone"

@AUTHZONE_INCLUDE@
EOT

mkdir -p /opt/unbound/etc/unbound/dev &&
Expand Down