user:gp68:unbound

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
user:gp68:unbound [2024-09-02T17:01:35Z] gp68user:gp68:unbound [2024-09-03T11:03:59Z] (current) gp68
Line 1: Line 1:
 ====== Unbound Howto ====== ====== Unbound Howto ======
  
 +This setup is build as an example to work as tier1 or tier2 server. \\
 +There is an update script which sets up all slave zones and does an tier1 anmd tiar2 server test after update. \\
 +The update script also checks dnssec basics and updates the files in git. \\
 +///etc/unbound// is a git repository in my setup.
 + 
 ===== Base setup ===== ===== Base setup =====
  
-<code>+<file txt unbound.conf>
 server: server:
  verbosity: 1  verbosity: 1
Line 10: Line 15:
  # ----------------------  # ----------------------
  # optimizations https://nlnetlabs.nl/documentation/unbound/howto-optimise/  # optimizations https://nlnetlabs.nl/documentation/unbound/howto-optimise/
 +        # adjust for your needs
  # ----------------------  # ----------------------
  num-threads: 2  num-threads: 2
Line 30: Line 36:
  stream-wait-size: 8m #default 4m  stream-wait-size: 8m #default 4m
  # ----------------------  # ----------------------
 +        # can be set to 0 if you don't need
 +        #
  statistics-interval: 1200  statistics-interval: 1200
  # ----------------------  # ----------------------
Line 42: Line 50:
  tls-service-key: /etc/unbound/privkey.pem  tls-service-key: /etc/unbound/privkey.pem
  tls-service-pem: /etc/unbound/fullchain.pem  tls-service-pem: /etc/unbound/fullchain.pem
-        # +        # i don't like files :-) 
  use-syslog: yes  use-syslog: yes
-        # first start+        # ------------------------------------- 
 +        # for the first start update files 
 +        # named.cache.opennic and opennic.dnskey 
 +        # manually 
 +        # -------------------------------------
  # drill . ns @161.97.219.84 > named.cache.opennic  # drill . ns @161.97.219.84 > named.cache.opennic
  # dig -t DNSKEY . @161.97.219.84 | dnssec-dsfromkey -1 -f - . > opennic.dnskey  # dig -t DNSKEY . @161.97.219.84 | dnssec-dsfromkey -1 -f - . > opennic.dnskey
Line 50: Line 62:
  root-hints: "/etc/unbound/named.cache.opennic"  root-hints: "/etc/unbound/named.cache.opennic"
  trust-anchor-file: "/etc/unbound/opennic.dnskey"  trust-anchor-file: "/etc/unbound/opennic.dnskey"
 +        # --------------------------------------------------
  # dnssec not working at the moment for all domains  # dnssec not working at the moment for all domains
 +        # --------------------------------------------------
  harden-dnssec-stripped: no  harden-dnssec-stripped: no
  harden-glue:  no  harden-glue:  no
- aggressive-nsec: no  + aggressive-nsec: no 
- do-not-query-localhost: no+        # access control for everyone ai and ipv6
  access-control: 0.0.0.0/0 allow  access-control: 0.0.0.0/0 allow
  access-control: ::0/0 allow  access-control: ::0/0 allow
- #+no identity needed
  hide-identity: yes  hide-identity: yes
  identity: "pope.vatican.va"  identity: "pope.vatican.va"
Line 63: Line 77:
  version:  "0.0"  version:  "0.0"
  tls-system-cert: yes  tls-system-cert: yes
 +        # DOS protection
  #ip-ratelimit-factor: 10  #ip-ratelimit-factor: 10
     #ip-ratelimit: 60     #ip-ratelimit: 60
     ratelimit: 100     ratelimit: 100
 +        # ---------------------------------------
 +        # for start make am empty file
 +        # will be updated by refresh script
 +        # 
  include: /etc/unbound/opennic_server.conf  include: /etc/unbound/opennic_server.conf
-  +
-local-zone: "168.192.in-addr.arpa." transparent +enable control via locahhost
-local-zone: "10.in-addr.arpa." transparent +
-local-zone: "16.172.in-addr.arpa." transparent +
-local-zone: "17.172.in-addr.arpa." transparent +
-local-zone: "18.172.in-addr.arpa." transparent +
-local-zone: "19.172.in-addr.arpa." transparent +
-local-zone: "20.172.in-addr.arpa." transparent +
-local-zone: "21.172.in-addr.arpa." transparent +
-local-zone: "22.172.in-addr.arpa." transparent +
-local-zone: "23.172.in-addr.arpa." transparent +
-local-zone: "24.172.in-addr.arpa." transparent +
-local-zone: "25.172.in-addr.arpa." transparent +
-local-zone: "26.172.in-addr.arpa." transparent +
-local-zone: "27.172.in-addr.arpa." transparent +
-local-zone: "28.172.in-addr.arpa." transparent +
-local-zone: "29.172.in-addr.arpa." transparent +
-local-zone: "30.172.in-addr.arpa." transparent +
-local-zone: "31.172.in-addr.arpa." transparent +
-local-zone: "0.in-addr.arpa." transparent +
-local-zone: "127.in-addr.arpa." transparent +
-local-zone: "254.169.in-addr.arpa." transparent +
-local-zone: "2.0.192.in-addr.arpa." transparent +
-local-zone: "100.51.198.in-addr.arpa." transparent +
-local-zone: "113.0.203.in-addr.arpa." transparent +
-local-zone: "255.255.255.255.in-addr.arpa." transparent +
-local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." transparent +
-local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." transparent +
-local-zone: "d.f.ip6.arpa." transparent +
-local-zone: "8.e.f.ip6.arpa." transparent +
-local-zone: "9.e.f.ip6.arpa." transparent +
-local-zone: "a.e.f.ip6.arpa." transparent +
-local-zone: "b.e.f.ip6.arpa." transparent +
-local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." transparent +
-local-zone: "onion." always_null +
-test local +
-just an example +
-#local-zone: "porno." static +
-#local-data: 'porno. IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800' +
-#local-data: 'rechner.porno. IN A 127.0.0.1' +
 remote-control: remote-control:
  control-enable: yes  control-enable: yes
-  + 
-</code>+include: /etc/unbound/opennic_domains.conf 
 +</file>
  
 ===== Refresh script ===== ===== Refresh script =====
  
 +Gets the opennic root nameserver from the web
  
-<code>+<file perl getroot_opennic.pl>
 #!/usr/bin/perl #!/usr/bin/perl
  
Line 152: Line 134:
     print $1 . "\n";     print $1 . "\n";
 } }
-</code>+</file> 
 + 
 +Refreshes the files 
 +  * opennic.dnskey          ( dnssec root key ) 
 +  * named.cache.opennic     ( dns root cache ) 
 +  * opennic_server.conf     ( allow unsecure dnssec queries for opennic domains ) 
 +  * opennic_domains.conf    ( opennic zones secondary ) 
 + 
 +The script locks for single usage and checks the serial of the root zone for changes. 
 + 
 +<file bash refresh_base.sh> 
 +#!/bin/bash 
 + 
 +# arch linux packets needed: 
 +# - ldns 
 +# - unbound 
 +# - gawk 
 +# - coreutils 
 +# - grep 
 + 
 +AWK=/usr/bin/awk 
 +CUT=/usr/bin/cut 
 +DIG="/usr/bin/drill -t -r /etc/unbound/named.cache.opennic" 
 +GREP=/bin/grep 
 +PRINTF=/usr/bin/printf 
 +SED=/bin/sed 
 +KF=opennic.dnskey 
 +CF=named.cache.opennic 
 +SF=opennic_server.conf 
 +DF=opennic_domains.conf 
 +MYIP='<please set me>' 
 + 
 +if [ "$MYIP" = "<please set me>" ] ; then 
 +   echo "set varieble MYIP in this script" 
 +   exit 1 
 +fi 
 +    
 +cd `dirname $0` 
 + 
 +# Make sure only one copy runs at a time 
 +LOCK="refresh_base.lock" 
 +r=$($PRINTF %05d $RANDOM) 
 +sleep ${r:0:1}.${r:1:5} 
 +if [ -f $LOCK ]; then 
 +    last_serial=$(cat $LOCK) 
 +    dt=$((`date +%s` - `date -r $LOCK +%s`)) 
 +    if [ $dt -lt 600 ]; then 
 + echo "Last run ${dt}s < 600s left" 
 + exit 0; 
 +    else 
 + echo "Last run ${dt}s"  
 +    fi 
 +fi 
 + 
 +touch $LOCK 
 + 
 +# first get any tier1 server to start 
 +NS=( $(./getroot_opennic.pl) ) 
 + 
 +echo -n "Opennic tier1 Server: " 
 + 
 +for ns in "${NS[@]}"; do 
 +    echo -n "$ns " 
 +    soa=$($DIG -Q SOA . @$ns) 
 +    if [ "$soa" ]; then NS0=$(echo $soa | awk '{print $1}') ; break ; fi 
 +done 
 +if [ ! "$NS0" ]; then 
 +    echo "No Opennic tier1 server could not be reached -- aborting!" >&
 +    exit 1 
 +fi 
 + 
 +echo 
 + 
 +# get master server  
 +NS0=$(echo $NS0 | awk '{print $1}'
 + 
 +echo -n "Master openic server: $NS0 (" 
 + 
 +# get ip from master server 
 +NS=( $(drill -Q @$ns ns0.opennic.glue.) ) 
 +for ns in "${NS[@]}"; do 
 +    if [ "$soa" ]; then NS0=$ns ; break ; fi 
 +done 
 +if [ ! "$NS0" ]; then 
 +    echo "could not be reached -- aborting!" >&
 +    exit 1 
 +fi 
 + 
 +echo "$NS0)" 
 + 
 +soa=$($DIG -Q SOA . @$NS0) 
 +serial=$(echo $soa | awk '{ print $3}'
 +refresh=$(echo $soa | awk '{ print $4}'
 + 
 +echo "Serial: $serial" 
 +echo "Refresh: $refresh" 
 + 
 +echo $serial > $LOCK 
 + 
 +if [ -z "$last_serial" ] ; then 
 +    last_serial=0 
 +fi 
 + 
 +if [ $last_serial == $serial ]; then 
 +    echo "No Update needed serial not changed" 
 +    exit 0 
 +fi 
 + 
 +dig . ns @${NS0} > $CF 
 +echo "Updated $CF" 
 + 
 +dig -t DNSKEY . @${NS0} | dnssec-dsfromkey -1 -f - . > $KF 
 +dig -t DNSKEY . @${NS0} | dnssec-dsfromkey -2 -f - . >> $KF      
 +cp $KF /etc/trusted-key.key 
 +echo "Updated $KF and /etc/trusted-key.key" 
 + 
 +# Start printing the new file 
 +ifs=$IFS 
 + 
 +# Collect list of TLDs 
 +TXT=(dns.opennic.glue $($DIG -Q @$NS0 TXT tlds.opennic.glue | tr -d '"')) 
 +IFS=$'\n' TLDS=($(sort <<<${TXT[*]})) 
 +IFS=$ifs 
 +if [ "${TLDS[*]}" == "dns.opennic.glue" ]; then 
 +    echo "Failed to obtain list of TLDs" >&
 +    rm -f $LOCK 
 +    exit 1 
 +else 
 +    echo "TLDS: ${TLDS[*]}" >&
 +fi 
 + 
 +echo "#" > $DF  
 +echo "# OpenNIC zone config - file created by $HOSTNAME" >> $DF 
 +echo "# Generated on `date '+%A, %d %b %Y at %T'`" >> $DF 
 +echo "#" >> $DF 
 + 
 +echo "#" > $SF 
 +echo "# OpenNIC server config for opennic - file created by $HOSTNAME" >> $SF 
 +echo "# Generated on `date '+%A, %d %b %Y at %T'`" >> $SF 
 +echo "#" >> $SF 
 + 
 + 
 +for TLD in "${TLDS[@]}" ; do 
 +    if [ $TLD != '.' ]; then 
 + echo -n 'domain-insecure: "' >> $SF 
 + echo -n $TLD >> $SF 
 + echo '"' >> $SF 
 +    fi 
 +    # Check if this zone is mastered by this server 
 +    zone="$TLD.opennic.glue" 
 +    if [ "$TLD" == "." ]; then 
 + zone=""
 +    fi 
 +    master=($($DIG -Q TXT $zone. @$NS0 | sed 's/"//g' | $GREP ^ns) ns0.opennic.glue.) 
 + 
 +    echo "TLD $TLD master = ${master[*]}" 
 +     
 +    # Begin printing the zone config 
 +    echo >> $DF 
 +    echo "auth-zone:" >> $DF 
 +    echo "   name: $TLD" >> $DF 
 +    if [ $TLD == '.' ]; then 
 + echo "   zonefile: sec/root.zone" >> $DF 
 +    else 
 + echo "   zonefile: sec/${TLD}.zone" >> $DF 
 +    fi 
 +    echo "   for-downstream: no" >> $DF 
 +    # Collect a list of master nameservers for the zone 
 +    for mm in "${master[@]}" ; do 
 + mm=$(echo $mm | $SED 's/\.$//'
 + ns=$(echo $mm | $CUT -d. -f1 | $SED 's/ns//'
 + AT="@$myDNS" 
 + if [ "$ns" == "0" ]; then AT="@$NS0"; fi 
 + if [ "$AT" == "@" ]; then AT=""; fi 
 +  
 + # If this is an unknown NS, query its IPs 
 + if [ ! "${RES[$ns]}" ]; then 
 +     A4=$($DIG -Q A $mm $AT) 
 +     A6=$($DIG -Q AAAA $mm $AT) 
 +     RES[$ns]="${A4[@]} ${A6[@]}" 
 + fi 
 + read -a IP <<< ${RES[$ns]} 
 +  
 + # Print all IPs for all nameservers 
 + for addr in "${IP[@]}" ; do 
 +     echo "   master: $addr" >> $DF 
 + done 
 +    done 
 +    echo >> $DF 
 +done 
 +echo "Updated $DF $SF" 
 + 
 +unbound-control reload_keep_cache 
 +echo "Restarted unbound" 
 + 
 +sleep 10 
 + 
 +wget -q --no-check-certificate -O test.txt "https://report.opennicproject.org/t2log/t1.php?ip_addr=$MYIP" 
 +if [ $(cat test.txt | perl -n -e 'if ( $p == 1 ) { /Passed/ && print "OK\n" ; $p = 0; } else { if ( /Test results:/ ) { $p=1; } }') != 'OK' ] ; then 
 +    echo "Opennic Tier1 TEST FAILED" 
 +    rm -f test.txt 
 +    exit 1 
 +else 
 +    echo "Opennic Tier1 TEST OK" 
 +    rm -f test.txt 
 +fi 
 + 
 +sleep 10 
 + 
 +wget -q --no-check-certificate -O test.txt "https://servers.opennicproject.org/srvtest3/test.php?ip=$MYIP&ns=$MYIP" 
 +if [ $(cat test.txt | perl -n -e '/Server\sstatus(.*)$/ && print $1;'  | perl -n -e '/\[(.+)\]/ && print $1;') != '100%' ] ; then 
 +    echo "Opennic Tier2 TEST FAILED" 
 +    rm -f test.txt 
 +    exit 1 
 +else 
 +    echo "Opennic Tier2 TEST OK" 
 +    rm -f test.txt 
 +fi 
 + 
 +if [ -z "$($DIG -TD . soa | grep '^\[T\]' | grep SOA)" ] ; then 
 +    echo "DNSSEC Test FAILED" 
 +    exit 1 
 +else 
 +    echo "DNSSEC Test OK" 
 +fi 
 + 
 +git commit -am "Serial: $serial" 
 +</file>
  
  • /wiki/data/attic/user/gp68/unbound.1725296495.txt.gz
  • Last modified: 14 months ago
  • by gp68