Skip to content

Commit

Permalink
Move trust anchor file to a directory owned by unbound so it can be
Browse files Browse the repository at this point in the history 
updated.  Also initiate the file using unbound-anchor instead of using a
hard coded DS record.
  • Loading branch information
@b4ldr
b4ldr committed Feb 5, 2015
1 parent 4086b21 commit 985a1ae
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 18 deletions.
37 changes: 27 additions & 10 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
#
class unbound (
$access = $unbound::params::access,
$anchor_file = $unbound::params::anchor_file,
$anchor_fetch_command = $unbound::params::anchor_fetch_command,
$anchor_file = $unbound::params::auto_trust_anchor_file,
$auto_trust_anchor_file = $unbound::params::auto_trust_anchor_file,
$chroot = $unbound::params::chroot,
$conf_d = $unbound::params::conf_d,
$confdir = $unbound::params::confdir,
Expand Down Expand Up @@ -49,13 +51,15 @@
$prefetch_key = $unbound::params::prefetch_key,
$private_domain = $unbound::params::private_domain,
$root_hints_url = $unbound::params::root_hints_url,
$runtime_dir = $unbound::params::runtime_dir,
$rrset_cache_size = $unbound::params::rrset_cache_size,
$rrset_cache_slabs = $unbound::params::rrset_cache_slabs,
$service_name = $unbound::params::service_name,
$so_rcvbuf = $unbound::params::so_rcvbuf,
$statistics_cumulative = $unbound::params::statistics_cumulative,
$statistics_interval = $unbound::params::statistics_interval,
$tcp_upstream = $unbound::params::tcp_upstream,
$trust_anchor = $unbound::params::trust_anchor,
$trusted_keys_file = $unbound::params::trusted_keys_file,
$unwanted_reply_threshold = $unbound::params::unwanted_reply_threshold,
$use_caps_for_id = $unbound::params::use_caps_for_id,
Expand All @@ -73,10 +77,11 @@
}
Package[$package_name] -> Service[$service_name]
Package[$package_name] -> Concat[$config_file]
Package[$package_name] -> File[$anchor_file]
Package[$package_name] -> File[$confdir]
Package[$package_name] -> File[$conf_d]
Package[$package_name] -> File[$keys_d]
Package[$package_name] -> File[$runtime_dir]
Package[$package_name] -> Exec['download-roothints']
}

service { $service_name:
Expand All @@ -100,6 +105,26 @@
path => ['/usr/bin','/usr/local/bin'],
before => [ Concat::Fragment['unbound-header'] ],
}
if $confdir == $runtime_dir {
File[$confdir] {
owner => $owner,
}
} else {
file { $runtime_dir:
ensure => directory,
owner => $owner,
}
}

exec { 'download-anchor-file':
command => $anchor_fetch_command,
creates => $auto_trust_anchor_file,
user => $owner,
path => ['/usr/sbin','/usr/local/sbin'],
returns => 1,
before => [ Concat::Fragment['unbound-header'] ],
require => File[$runtime_dir],
}

file { $hints_file:
mode => '0444',
Expand All @@ -114,12 +139,4 @@
target => $config_file,
content => template('unbound/unbound.conf.erb'),
}

# Initialize the root key file if it doesn't already exist.
file { $anchor_file:
owner => $owner,
group => 0,
content => '. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5',
replace => false,
}
}
17 changes: 10 additions & 7 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
$logdir = '/var/log'
$service_name = 'unbound'
$package_name = 'unbound'
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = '/var/lib/unbound'
$owner = 'unbound'
$group = 'unbound'
$fetch_client = 'wget -O'
Expand All @@ -20,7 +20,7 @@
$logdir = '/var/log'
$service_name = 'unbound'
$package_name = 'unbound'
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = $confdir
$owner = 'unbound'
$group = 'unbound'
$fetch_client = 'wget -O'
Expand All @@ -31,7 +31,7 @@
$service_name = 'org.macports.unbound'
$package_name = 'unbound'
$package_provider = 'macports'
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = $confdir
$owner = 'unbound'
$group = 'unbound'
$fetch_client = 'curl -o'
Expand All @@ -41,7 +41,7 @@
$logdir = '/var/log/unbound'
$service_name = 'unbound'
$package_name = 'dns/unbound'
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = $confdir
$owner = 'unbound'
$group = 'unbound'
$fetch_client = 'fetch -o'
Expand All @@ -55,7 +55,7 @@
} else {
$package_name = undef
}
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = $confdir
$owner = '_unbound'
$group = '_unbound'
$fetch_client = 'ftp -o'
Expand All @@ -65,25 +65,28 @@
$logdir = '/var/log'
$service_name = 'unbound'
$package_name = 'unbound'
$anchor_file = '/var/lib/unbound/root.key'
$runtime_dir = '/var/lib/unbound'
$owner = 'unbound'
$group = 'unbound'
$group = 'unbound'
$pidfile = '/var/run/unbound/unbound.pid'
$fetch_client = 'wget -O'
}
default: {
$confdir = '/etc/unbound'
$logdir = '/var/log'
$service_name = 'unbound'
$package_name = 'unbound'
$anchor_file = "${confdir}/root.anchor"
$runtime_dir = $confdir
$owner = 'unbound'
$group = 'unbound'
$fetch_client = 'wget -O'
}
}

$access = ['::1','127.0.0.1/8']
$auto_trust_anchor_file = "${runtime_dir}/root.key"
$anchor_fetch_command = "unbound-anchor -a ${auto_trust_anchor_file}"
$chroot = undef
$conf_d = "${confdir}/conf.d"
$config_file = "${confdir}/unbound.conf"
Expand Down
2 changes: 1 addition & 1 deletion templates/unbound.conf.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
server:
verbosity: <%= @verbosity %>
trusted-keys-file: <%= @trusted_keys_file %>
auto-trust-anchor-file: <%= @anchor_file %>
auto-trust-anchor-file: <%= @auto_trust_anchor_file %>
do-not-query-localhost: no
use-syslog: yes
extended-statistics: <%= @extended_statistics %>
Expand Down

0 comments on commit 985a1ae

Please sign in to comment.