svn commit: r339424 - in head: libexec/rc/rc.d usr.sbin/unbound/setup

Dag-Erling Smørgrav des at FreeBSD.org
Thu Oct 18 15:35:15 UTC 2018 

Author: des
Date: Thu Oct 18 15:35:13 2018
New Revision: 339424
URL: https://svnweb.freebsd.org/changeset/base/339424

Log:
  Add support for DNS-over-TLS to the local_unbound service.
  
  Approved by:	re (kib)

Modified:
  head/libexec/rc/rc.d/local_unbound
  head/usr.sbin/unbound/setup/local-unbound-setup.sh

Modified: head/libexec/rc/rc.d/local_unbound
==============================================================================
--- head/libexec/rc/rc.d/local_unbound	Thu Oct 18 15:25:07 2018	(r339423)
+++ head/libexec/rc/rc.d/local_unbound	Thu Oct 18 15:35:13 2018	(r339424)
@@ -33,6 +33,7 @@ load_rc_config $name
 : ${local_unbound_controlconf:=${local_unbound_workdir}/control.conf}
 : ${local_unbound_anchor:=${local_unbound_workdir}/root.key}
 : ${local_unbound_forwarders:=}
+: ${local_unbound_tls:=}
 
 do_as_unbound()
 {
@@ -63,6 +64,10 @@ local_unbound_configtest()
 #
 local_unbound_setup()
 {
+	local tls_flag
+	if checkyesno local_unbound_tls ; then
+		tls_flag="-t"
+	fi
 	echo "Performing initial setup."
 	${command}-setup -n \
 	    -u unbound \
@@ -71,6 +76,7 @@ local_unbound_setup()
 	    -f ${local_unbound_forwardconf} \
 	    -o ${local_unbound_controlconf} \
 	    -a ${local_unbound_anchor} \
+	    ${tls_flag} \
 	    ${local_unbound_forwarders}
 }
 

Modified: head/usr.sbin/unbound/setup/local-unbound-setup.sh
==============================================================================
--- head/usr.sbin/unbound/setup/local-unbound-setup.sh	Thu Oct 18 15:25:07 2018	(r339423)
+++ head/usr.sbin/unbound/setup/local-unbound-setup.sh	Thu Oct 18 15:35:13 2018	(r339424)
@@ -29,6 +29,9 @@
 # $FreeBSD$
 #
 
+D="${DESTDIR}"
+echo "destination: ${D}"
+
 #
 # Configuration variables
 #
@@ -47,15 +50,30 @@ resolv_conf=""
 resolvconf_conf=""
 service=""
 start_unbound=""
+use_tls=""
 forwarders=""
 
 #
 # Global variables
 #
 self=$(basename $(realpath "$0"))
+bkdir=/var/backups
 bkext=$(date "+%Y%m%d.%H%M%S")
 
 #
+# Regular expressions
+#
+RE_octet="([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"
+RE_ipv4="(${RE_octet}(\\.${RE_octet}){3})"
+RE_word="([0-9A-Fa-f]{1,4})"
+RE_ipv6="((${RE_word}:){1,}(:|(:${RE_word})*)|::1)"
+RE_port="([1-9][0-9]{0,3}|[1-5][0-9]{4,4}|6([0-4][0-9]{3}|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-5]))))"
+RE_dnsname="([0-9A-Za-z-]{1,}(\\.[0-9A-Za-z-]{1,})*\\.?)"
+RE_forward_addr="((${RE_ipv4}|${RE_ipv6})(@${RE_port})?)"
+RE_forward_name="(${RE_dnsname}(@${RE_port})?)"
+RE_forward_tls="(${RE_forward_addr}(#${RE_dnsname})?)"
+
+#
 # Set default values for unset configuration variables.
 #
 set_defaults() {
@@ -73,6 +91,7 @@ set_defaults() {
 	: ${resolvconf_conf:=/etc/resolvconf.conf}
 	: ${service:=local_unbound}
 	: ${start_unbound:=yes}
+	: ${use_tls:=no}
 }
 
 #
@@ -195,13 +214,16 @@ gen_forward_conf() {
 	do_not_edit
 	echo "forward-zone:"
 	echo "        name: ."
-	for forwarder ; do
-		if expr "${forwarder}" : "^[0-9A-Fa-f:.]\{1,\}$" >/dev/null ; then
-			echo "        forward-addr: ${forwarder}"
-		else
-			echo "        forward-host: ${forwarder}"
-		fi
-	done
+	for forwarder ; do echo "${forwarder}" ; done |
+	if [ "${use_tls}" = "yes" ] ; then
+		echo "        forward-tls-upstream: yes"
+		sed -nE \
+		    -e "s/^(${RE_forward_tls})$/        forward-addr: \\1/p"
+	else
+		sed -nE \
+		    -e "s/^${RE_forward_addr}\$/        forward-addr: \\1/p" \
+		    -e "s/^${RE_forward_name}\$/        forward-host: \\1/p"
+	fi
 }
 
 #
@@ -237,6 +259,9 @@ gen_unbound_conf() {
 	echo "        chroot: ${chrootdir}"
 	echo "        pidfile: ${pidfile}"
 	echo "        auto-trust-anchor-file: ${anchor}"
+	if [ "${use_tls}" = "yes" ] ; then
+		echo "        tls-cert-bundle: /etc/ssl/cert.pem"
+	fi
 	echo ""
 	if [ -f "${forward_conf}" ] ; then
 		echo "include: ${forward_conf}"
@@ -257,26 +282,34 @@ gen_unbound_conf() {
 #
 backup() {
 	local file="$1"
-	if [ -f "${file}" ] ; then
-		local bkfile="${file}.${bkext}"
+	if [ -f "${D}${file}" ] ; then
+		local bkfile="${bkdir}/${file##*/}.${bkext}"
 		echo "Original ${file} saved as ${bkfile}"
-		mv "${file}" "${bkfile}"
+		mv "${D}${file}" "${D}${bkfile}"
 	fi
 }
 
 #
+# Wrapper for mktemp which respects DESTDIR
+#
+tmp() {
+	local file="$1"
+	mktemp -u "${D}${file}.XXXXX"
+}
+
+#
 # Replace one file with another, making a backup copy of the first,
 # but only if the new file is different from the old.
 #
 replace() {
 	local file="$1"
 	local newfile="$2"
-	if [ ! -f "${file}" ] ; then
+	if [ ! -f "${D}${file}" ] ; then
 		echo "${file} created"
-		mv "${newfile}" "${file}"
-	elif ! cmp -s "${file}" "${newfile}" ; then
+		mv "${newfile}" "${D}${file}"
+	elif ! cmp -s "${D}${file}" "${newfile}" ; then
 		backup "${file}"
-		mv "${newfile}" "${file}"
+		mv "${newfile}" "${D}${file}"
 	else
 		echo "${file} not modified"
 		rm "${newfile}"
@@ -315,7 +348,7 @@ main() {
 	#
 	# Parse and validate command-line options
 	#
-	while getopts "a:C:c:f:no:p:R:r:s:u:w:" option ; do
+	while getopts "a:C:c:f:no:p:R:r:s:tu:w:" option ; do
 		case $option in
 		a)
 			anchor="$OPTARG"
@@ -350,6 +383,9 @@ main() {
 		s)
 			service="$OPTARG"
 			;;
+		t)
+			use_tls="yes"
+			;;
 		u)
 			user="$OPTARG"
 			;;
@@ -376,7 +412,7 @@ main() {
 		;;
 	"")
 		echo "Extracting forwarders from ${resolv_conf}."
-		forwarders=$(get_nameservers <"${resolv_conf}")
+		forwarders=$(get_nameservers <"${D}${resolv_conf}")
 		style=dynamic
 		;;
 	*)
@@ -398,7 +434,7 @@ main() {
 		echo "Forwarding disabled, unbound will recurse."
 		backup "${forward_conf}"
 	else
-		local tmp_forward_conf=$(mktemp -u "${forward_conf}.XXXXX")
+		local tmp_forward_conf=$(tmp "${forward_conf}")
 		gen_forward_conf ${forwarders} | unexpand >"${tmp_forward_conf}"
 		replace "${forward_conf}" "${tmp_forward_conf}"
 	fi
@@ -406,21 +442,21 @@ main() {
 	#
 	# Generate lan-zones.conf.
 	#
-	local tmp_lanzones_conf=$(mktemp -u "${lanzones_conf}.XXXXX")
+	local tmp_lanzones_conf=$(tmp "${lanzones_conf}")
 	gen_lanzones_conf | unexpand >"${tmp_lanzones_conf}"
 	replace "${lanzones_conf}" "${tmp_lanzones_conf}"
 
 	#
 	# Generate control.conf.
 	#
-	local tmp_control_conf=$(mktemp -u "${control_conf}.XXXXX")
+	local tmp_control_conf=$(tmp "${control_conf}")
 	gen_control_conf | unexpand >"${tmp_control_conf}"
 	replace "${control_conf}" "${tmp_control_conf}"
 
 	#
 	# Generate unbound.conf.
 	#
-	local tmp_unbound_conf=$(mktemp -u "${unbound_conf}.XXXXX")
+	local tmp_unbound_conf=$(tmp "${unbound_conf}")
 	set_chrootdir
 	gen_unbound_conf | unexpand >"${tmp_unbound_conf}"
 	replace "${unbound_conf}" "${tmp_unbound_conf}"
@@ -445,15 +481,15 @@ main() {
 	# Rewrite resolvconf.conf so resolvconf updates forward.conf
 	# instead of resolv.conf.
 	#
-	local tmp_resolvconf_conf=$(mktemp -u "${resolvconf_conf}.XXXXX")
+	local tmp_resolvconf_conf=$(tmp "${resolvconf_conf}")
 	gen_resolvconf_conf "${style}" | unexpand >"${tmp_resolvconf_conf}"
 	replace "${resolvconf_conf}" "${tmp_resolvconf_conf}"
 
 	#
 	# Finally, rewrite resolv.conf.
 	#
-	local tmp_resolv_conf=$(mktemp -u "${resolv_conf}.XXXXX")
-	gen_resolv_conf <"${resolv_conf}" | unexpand >"${tmp_resolv_conf}"
+	local tmp_resolv_conf=$(tmp "${resolv_conf}")
+	gen_resolv_conf <"${D}${resolv_conf}" | unexpand >"${tmp_resolv_conf}"
 	replace "${resolv_conf}" "${tmp_resolv_conf}"
 }

More information about the svn-src-head mailing list