unbound: improve maintenance of trust anchor

Unbound UCI tries to protect embedded flash from excess use. Unbound RFC5011 KSK tracking can rewrite root.key every few minutes to an hour. It also writes and destroys files in the same directory during the process. Recommended UCI delays for copying busy work in /var/ back to /etc/ may be too conservative. These are all changed from 28 to 9 days. The RFC5011 KSK results were also destroyed by an init.d restart, even if /var/ is mounted on persistent storage like USB drive. /var/lib/unbound/root.key is now preserved during this process, unless a newer key is installed in /etc/ manually or package update. Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2026-01-10 03:41:29 +00:00 · 2017-03-02 00:28:35 -05:00
parent ef0c0eeab0
commit 8e153c9684
5 changed files with 23 additions and 9 deletions
--- a/net/unbound/files/unbound.sh
+++ b/net/unbound/files/unbound.sh
@@ -47,7 +47,7 @@ UNBOUND_IP_DNS64="64:ff9b::/96"
 UNBOUND_N_EDNS_SIZE=1280
 UNBOUND_N_FWD_PORTS=""
 UNBOUND_N_RX_PORT=53
-UNBOUND_N_ROOT_AGE=28
+UNBOUND_N_ROOT_AGE=9

 UNBOUND_TTL_MIN=120

@@ -258,6 +258,13 @@ unbound_mkdir() {
  fi


+  if [ -f $UNBOUND_KEYFILE ] ; then
+    # Lets not lose RFC 5011 tracking if we don't have to
+    cp -p $UNBOUND_KEYFILE $UNBOUND_KEYFILE.keep
+  fi
+
+
+  # Blind copy /etc/ to /var/lib/
  mkdir -p $UNBOUND_VARDIR
  rm -f $UNBOUND_VARDIR/dhcp_*
  touch $UNBOUND_CONFFILE
@@ -282,7 +289,7 @@ unbound_mkdir() {
      # Debian-like package dns-root-data
      cp -p /usr/share/dns/root.key $UNBOUND_KEYFILE

-    elif [ -x "$UNBOUND_ANCHOR" ] ; then
+    elif [ -x $UNBOUND_ANCHOR ] ; then
      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE

    else
@@ -290,7 +297,14 @@ unbound_mkdir() {
    fi
  fi

-
+  
+  if [ -f $UNBOUND_KEYFILE.keep ] ; then
+    # root.key.keep is reused if newest
+    cp -u $UNBOUND_KEYFILE.keep $UNBOUND_KEYFILE
+    rm -f $UNBOUND_KEYFILE.keep
+  fi
+  
+  
  # Ensure access and prepare to jail
  chown -R unbound:unbound $UNBOUND_VARDIR
  chmod 775 $UNBOUND_VARDIR
@@ -755,7 +769,7 @@ unbound_uci() {

  config_get UNBOUND_N_EDNS_SIZE "$cfg" edns_size 1280
  config_get UNBOUND_N_RX_PORT   "$cfg" listen_port 53
-  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 7
+  config_get UNBOUND_N_ROOT_AGE  "$cfg" root_age 9

  config_get UNBOUND_D_DOMAIN_TYPE "$cfg" domain_type static
  config_get UNBOUND_D_DHCP_LINK   "$cfg" dhcp_link none