diff --git a/src/etc/inc/plugins.inc.d/unbound.inc b/src/etc/inc/plugins.inc.d/unbound.inc index f21821abc..56f1fabdb 100644 --- a/src/etc/inc/plugins.inc.d/unbound.inc +++ b/src/etc/inc/plugins.inc.d/unbound.inc @@ -257,6 +257,7 @@ EOF; $forward_conf = ''; $forward_local = ''; + $resolv_conf_root = ''; if (isset($config['unbound']['forwarding'])) { $dnsservers = array(); @@ -282,12 +283,20 @@ EOD; foreach ($dnsservers as $dnsserver) { if (strpos($dnsserver, '127.') === 0 || $dnsserver == '::1') { $forward_local = "do-not-query-localhost: no\n"; + } else { + /* Generate a custom resolv.conf file for use by unbound-anchor. + * These servers all use port 53 so exclude localhost from being queried for bootstrapping + * in our custom resolv.conf file as Unbound doesn't exist yet. + */ + $resolv_conf_root .= "nameserver $dnsserver\n"; } $forward_conf .= "\tforward-addr: $dnsserver\n"; } } } + file_put_contents("/var/unbound/resolv.conf.root", $resolv_conf_root, LOCK_EX); + $so_reuseport = empty(system_sysctl_get()['net.inet.rss.enabled']) ? 'yes' : 'no'; $unboundconf = << /dev/null; then + # unbound-anchor has undefined behaviour if file is corrupted, start clean + rm -f /var/unbound/root.key + + # if we are in forwarding mode, prefer to use the configured system nameservers + if [ -s /var/unbound/resolv.conf.root ]; then + OPT_RESOLVE="-Rf /var/unbound/resolv.conf.root" + fi + + # unbound-anchor exits with 1 on failover, since we would still like to start unbound, + # always let this succeed + chroot -u unbound -g unbound / /usr/local/sbin/unbound-anchor -a /var/unbound/root.key ${OPT_RESOLVE} || true +fi if [ ! -f /var/unbound/unbound_control.key ]; then chroot -u unbound -g unbound / /usr/local/sbin/unbound-control-setup -d /var/unbound