Hi,
can you confirm if unbound is running?
What is the output of /etc/init.d/unbound restart?
-Michael
On Fri, 2017-03-03 at 14:54 -0600, Paul Simmons wrote:
On Wed, 2017-03-01 at 12:00 -0600, Paul Simmons wrote:
On Wed, 2017-03-01 at 16:17 +0000, Michael Tremer wrote:
Hello,
so I wanted to highlight this patch a little which has been merged into next.
It will change fallback behaviour of DNS again which before switched to recursor mode if no usable forwarder could be found. Now IPFire will test if any of the root servers is available and if so, fall back to recursor mode. If not, it will change DNSSEC into permissive mode and will use all given forwarders.
The idea behind this is to always be able to provide at least *some* DNS, although DNSSEC will be practically deactivated.
It is still missing that we show a big warning where necessary, but at least for some people who were forced by their providers to use their own name servers which do not support DNSSEC at all.
So, for the people who have been affected by this issue I can only recommend to test this and give us feedback within about one week. I would like to close the merge window for the next core update around then.
Best, -Michael
On Wed, 2017-03-01 at 16:11 +0000, Michael Tremer wrote:
The tests when assigning DNS name servers has been extended so that if no working forwarder can be found, we will test if the local recursor mode is an option.
If not, we will configure unbound's validator module into permissive mode so that at least some DNS functionality is available.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
config/rootfiles/core/110/filelists/files | 1 + lfs/unbound | 1 + src/initscripts/init.d/unbound | 67 ++++++++++++++++++++-- ...ting-validator-permissive-mode-at-runtime.patch | 43 ++++++++++++++ 4 files changed, 107 insertions(+), 5 deletions(-) create mode 100644 src/patches/unbound-allow-setting- validator- permissive-mode-at-runtime.patch
diff --git a/config/rootfiles/core/110/filelists/files b/config/rootfiles/core/110/filelists/files index 670b9ae..f4ce989 100644 --- a/config/rootfiles/core/110/filelists/files +++ b/config/rootfiles/core/110/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/lib/libssp.so.0 diff --git a/lfs/unbound b/lfs/unbound index 2b7745c..f361f24 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 <
$(DIR_SRC)/src/patches/unbound-allow-setting-validator- permissive- mode-at-runtime.patch cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 8802781..bbf9c00 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -114,17 +114,38 @@ update_forwarders() { echo_warning fi
if [ -n "${broken_forwarders}" -a -z
"${forwarders}" ]; then
boot_mesg "Falling back to recursor
mode" ${WARNING}
echo_warning
elif [ -n "${forwarders}" ]; then
if [ -n "${forwarders}" ]; then
boot_mesg "Configuring upstream name server(s): ${forwarders:1}" ${INFO} echo_ok
# Make sure DNSSEC is activated
enable_dnssec
echo "${forwarders}" > /var/ipfire/red/dns unbound-control -q forward ${forwarders} return 0
# In case we have found no working forwarders
else
# Test if the recursor mode is
available
if can_resolve_root
+bufsize=${new_edns_buffer_size}; then
# Make sure DNSSEC is
activated
enable_dnssec
boot_mesg "Falling back to
recursor mode" ${WARNING}
echo_warning
# If not, we set DNSSEC in permissive
mode and allow using all recursors
elif [ -n "${broken_forwarders}" ];
then
disable_dnssec
boot_mesg "DNSSEC has been set
to permissive mode" ${FAILURE}
echo_failure
echo "${broken_forwarders}" >
/var/ipfire/red/dns
unbound-control -q forward
${broken_forwarders}
return 0
fi
fi fi @@ -370,6 +391,42 @@ ns_determine_edns_buffer_size() { return 1 } +get_root_nameservers() {
- while read -r hostname ttl record address; do
# Searching for A records
[ "${record}" = "A" ] || continue
echo "${address}"
- done < /etc/unbound/root.hints
+}
+can_resolve_root() {
- local ns
- for ns in $(get_root_nameservers); do
if dig @${ns} +dnssec SOA . $@ >/dev/null;
then
return 0
fi
- done
- # none of the servers was reachable
- return 1
+}
+enable_dnssec() {
- local status=$(unbound-control get_option val-
permissive- mode)
- # Don't do anything if DNSSEC is already activated
- [ "${status}" = "no" ] && return 0
- # Activate DNSSEC and flush cache with any stale and
unvalidated data
- unbound-control -q set_option val-permissive-mode: no
- unbound-control -q flush_zone .
+}
+disable_dnssec() {
- unbound-control -q set_option val-permissive-mode: yes
+}
case "$1" in start) # Print a nicer messagen when unbound is already running diff --git a/src/patches/unbound-allow-setting-validator- permissive- mode-at-runtime.patch b/src/patches/unbound-allow-setting- validator- permissive-mode-at-runtime.patch new file mode 100644 index 0000000..f476d08 --- /dev/null +++ b/src/patches/unbound-allow-setting-validator-permissive- mode- at- runtime.patch @@ -0,0 +1,43 @@ +diff --git a/validator/validator.c b/validator/validator.c +index 676dcdf..7c19f3d 100644 +--- a/validator/validator.c ++++ b/validator/validator.c +@@ -113,7 +113,7 @@ val_apply_cfg(struct module_env* env, struct val_env* val_env, + int c; + val_env->bogus_ttl = (uint32_t)cfg->bogus_ttl; + val_env->clean_additional = cfg-
val_clean_additional;
+- val_env->permissive_mode = cfg->val_permissive_mode; ++ val_env->permissive_mode = &cfg->val_permissive_mode; + if(!env->anchors) + env->anchors = anchors_create(); + if(!env->anchors) { +@@ -170,7 +170,6 @@ val_init(struct module_env* env, int id) + } + env->modinfo[id] = (void*)val_env; + env->need_to_validate = 1; +- val_env->permissive_mode = 0; + lock_basic_init(&val_env->bogus_lock); + lock_protect(&val_env->bogus_lock, &val_env-
num_rrset_bogus,
+ sizeof(val_env->num_rrset_bogus)); +@@ -2084,7 +2083,7 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, + } + } + /* If we are in permissive mode, bogus gets indeterminate */ +- if(ve->permissive_mode) ++ if(*ve->permissive_mode) + vq->orig_msg->rep->security = sec_status_indeterminate; + } + +diff --git a/validator/validator.h b/validator/validator.h +index 23d3072..f8464b8 100644 +--- a/validator/validator.h ++++ b/validator/validator.h +@@ -104,7 +104,7 @@ struct val_env { + * This allows an operator to run validation 'shadow' without + * hurting responses to clients. + */ +- int permissive_mode; ++ int* permissive_mode; + + /** + * Number of entries in the NSEC3 maximum iteration count table.
I have nightly commit c016773b9816ad9be4ffc8643c30457e87c094e3 available locally, and will beg my users for downtime to test.
Thank you, and best regards, Paul
Bad juju - build c016773b couldn't resolve any hosts (other than those in "localdomain").
Provider is "hughes.net" and is the only ISP available (no hardlines or other LOS/NLOS WISPs available).
Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no change.
Paul