diff options
author | Chris Buechler <cmb@pfsense.org> | 2015-10-21 19:56:04 -0500 |
---|---|---|
committer | Chris Buechler <cmb@pfsense.org> | 2015-10-21 19:56:04 -0500 |
commit | 4eeb2809d023ddd260c938dac20654515d5a9055 (patch) | |
tree | da80edb94028f224d62a235a1bf8a97a8469ca74 /src/etc/inc/unbound.inc | |
parent | 1da8a2e37269297978f6a96f07b46e536c1c8614 (diff) | |
download | pfsense-4eeb2809d023ddd260c938dac20654515d5a9055.zip pfsense-4eeb2809d023ddd260c938dac20654515d5a9055.tar.gz |
Check unbound root.key file contents, and remove it if invalid, before unbound-anchor runs otherwise it will fail and unbound will fail to start. fsync the file after writing to prevent the problem. Ticket #5334
Diffstat (limited to 'src/etc/inc/unbound.inc')
-rw-r--r-- | src/etc/inc/unbound.inc | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/src/etc/inc/unbound.inc b/src/etc/inc/unbound.inc index 043ced2..5447c4c 100644 --- a/src/etc/inc/unbound.inc +++ b/src/etc/inc/unbound.inc @@ -470,7 +470,16 @@ function do_as_unbound_user($cmd) { mwexec("echo '/usr/local/sbin/unbound-control reload' | /usr/bin/su -m unbound", true); break; case "unbound-anchor": + // sanity check root.key because unbound-anchor will fail without manual removal otherwise. redmine #5334 + if (file_exists("{$g['unbound_chroot_path']}/root.key")) { + $rootkeycheck = mwexec("/usr/bin/grep 'autotrust trust anchor file' {$g['unbound_chroot_path']}/root.key", true); + if ($rootkeycheck != "0") { + log_error("Unbound root.key file is corrupt, removing and recreating."); + unlink_if_exists("{$g['unbound_chroot_path']}/root.key"); + } + } mwexec("echo '/usr/local/sbin/unbound-anchor -a {$g['unbound_chroot_path']}/root.key' | /usr/bin/su -m unbound", true); + pfSense_fsync("{$g['unbound_chroot_path']}/root.key"); break; case "unbound-control-setup": mwexec("echo '/usr/local/sbin/unbound-control-setup -d {$g['unbound_chroot_path']}' | /usr/bin/su -m unbound", true); |