Add authoritative zone handling

* 'master' of github.com:DNSCrypt/dnscrypt-server-docker:
  Update docker-image.yml

.github/workflows/docker-image.yml

@@ -15,4 +15,4 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag my-image-name:$(date +%s)
+      run: docker buildx build . --file Dockerfile --tag my-image-name:$(date +%s)

Dockerfile

@@ -3,7 +3,7 @@ LABEL maintainer="Frank Denis"
 SHELL ["/bin/sh", "-x", "-c"]
 ENV SERIAL 12
 
-ENV CFLAGS=-Ofast
+ENV CFLAGS=-O3
 ENV BUILD_DEPS   curl make build-essential git libevent-dev libexpat1-dev autoconf file libssl-dev flex bison
 ENV RUNTIME_DEPS bash util-linux coreutils findutils grep libssl3 ldnsutils libevent-2.1 expat ca-certificates runit runit-helper jed
 
@@ -14,10 +14,13 @@ RUN apt-get update && apt-get -qy dist-upgrade && apt-get -qy clean && \
 RUN update-ca-certificates 2> /dev/null || true
 
 ENV UNBOUND_GIT_URL https://github.com/NLnetLabs/unbound.git
-ENV UNBOUND_GIT_REVISION 10843805ac37002f1d9293c9835a3e68e41d392d
+ENV UNBOUND_GIT_REVISION a8739bad76d4d179290627e989c7ef236345bda6
 
 WORKDIR /tmp
 
+# --- FOR TESTING ---
+# RUN apt-get update && apt-get install -y iproute2 less vim
+
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     git clone --depth=1000 "$UNBOUND_GIT_URL" && \
     cd unbound && \
@@ -61,17 +64,17 @@ RUN mkdir -p \
     /var/svc/encrypted-dns \
     /var/svc/watchdog
 
-COPY encrypted-dns.toml.in /opt/encrypted-dns/etc/
-COPY undelegated.txt /opt/encrypted-dns/etc/
+COPY --chmod=644 encrypted-dns.toml.in /opt/encrypted-dns/etc/
+COPY --chmod=644 undelegated.txt /opt/encrypted-dns/etc/
 
-COPY entrypoint.sh /
+COPY --chmod=755 entrypoint.sh /
 
-COPY unbound.sh /var/svc/unbound/run
-COPY unbound-check.sh /var/svc/unbound/check
+COPY --chmod=755 unbound.sh /var/svc/unbound/run
+COPY --chmod=755 unbound-check.sh /var/svc/unbound/check
 
-COPY encrypted-dns.sh /var/svc/encrypted-dns/run
+COPY --chmod=755 encrypted-dns.sh /var/svc/encrypted-dns/run
 
-COPY watchdog.sh /var/svc/watchdog/run
+COPY --chmod=755 watchdog.sh /var/svc/watchdog/run
 
 RUN ln -sf /opt/encrypted-dns/etc/keys/encrypted-dns.toml /opt/encrypted-dns/etc/encrypted-dns.toml
 

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2015-2020, Frank Denis <github@pureftpd.org>
+Copyright (c) 2015-2024, Frank Denis <github@pureftpd.org>
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above

entrypoint.sh

@@ -14,6 +14,7 @@ CONF_DIR="/opt/encrypted-dns/etc"
 CONFIG_FILE="${KEYS_DIR}/encrypted-dns.toml"
 CONFIG_FILE_TEMPLATE="${CONF_DIR}/encrypted-dns.toml.in"
 SERVICES_DIR="/etc/runit/runsvdir/svmanaged"
+SCRIPTNAME=$(basename $0)
 
 init() {
     if [ "$(is_initialized)" = yes ]; then
@@ -21,21 +22,57 @@ init() {
         exit $?
     fi
 
+    # TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' --longoptions 'unbound-on-all-interfaces' -- "$@")
+    TEMP=$(getopt --name "${SCRIPTNAME}" --options 'h?N:E:T:AM:' -- "$@")
+    eval set -- "$TEMP"
+
     anondns_enabled="false"
     anondns_blacklisted_ips=""
 
     metrics_address="127.0.0.1:9100"
 
-    while getopts "h?N:E:T:AM:" opt; do
-        case "$opt" in
-        h | \?) usage ;;
-        N) provider_name=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        E) ext_addresses=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        T) tls_proxy_upstream_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
-        A) anondns_enabled="true" ;;
-        M) metrics_address=$(echo "$OPTARG" | sed -e 's/^[ \t]*//' | tr A-Z a-z) ;;
+    # extract options and their arguments into variables.
+    while true ; do
+        case "$1" in
+            -h | -\?)
+                shift
+                usage
+                ;;
+            -N)
+                provider_name=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -E)
+                ext_addresses=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -T)
+                tls_proxy_upstream_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            -A)
+                anondns_enabled="true"
+                shift
+                ;;
+            -M)
+                metrics_address=$(echo "$2" | sed -e 's/^[ \t]*//' | tr A-Z a-z)
+                shift 2
+                ;;
+            # --unbound-on-all-interfaces)
+            #     touch /opt/unbound/run-options/use-all-interfaces
+            #     shift
+            #     ;;
+            --)
+                shift
+                break
+                ;;
+            *)
+                echo "Internal error!"
+                exit 1
+                ;;
         esac
     done
+
     [ -z "$provider_name" ] && usage
     case "$provider_name" in
     .*) usage ;;

unbound.sh

@@ -2,6 +2,36 @@
 
 KEYS_DIR="/opt/encrypted-dns/etc/keys"
 ZONES_DIR="/opt/unbound/etc/unbound/zones"
+AUTHZONES_DIR="/opt/unbound/etc/unbound/auth-zones"
+
+OIFS="${IFS}"
+
+INTERFACES="\
+  interface: 127.0.0.1@553
+  interface: ::1@553"
+ACCESS_CONTROL="\
+  access-control: 0.0.0.0/0 allow
+  access-control: ::0/0 allow"
+AUTHZONE_INCLUDE=""
+
+test -d $AUTHZONES_DIR && {
+    chown -R _unbound:_unbound $AUTHZONES_DIR
+    INTERFACES="\
+  interface: 0.0.0.0@553
+  interface: ::@553"
+    ACCESS_CONTROL="\
+  access-control: 127.0.0.1/32 allow
+  access-control: ::1/128 allow
+  access-control: 0.0.0.0/0 refuse_non_local
+  access-control: ::0/0 refuse_non_local"
+    AUTHZONE_INCLUDE="include: \"${AUTHZONES_DIR}/*.conf\""
+}
+
+# Replace multiline replacements so sed can deal with them later
+INTERFACES=$(echo -n "${INTERFACES}" | sed -z 's/\n/\\n/g')
+ACCESS_CONTROL=$(echo -n "${ACCESS_CONTROL}" | sed -z 's/\n/\\n/g')
+
+IFS="${OIFS}"
 
 reserved=134217728
 availableMemory=$((1024 * $( (grep -F MemAvailable /proc/meminfo || grep -F MemTotal /proc/meminfo) | sed 's/[^0-9]//g')))
@@ -27,11 +57,15 @@ sed \
     -e "s/@RR_CACHE_SIZE@/${rr_cache_size}/" \
     -e "s/@THREADS@/${threads}/" \
     -e "s#@ZONES_DIR@#${ZONES_DIR}#" \
+    -e "s#@INTERFACES@#${INTERFACES}#" \
+    -e "s#@ACCESS_CONTROL@#${ACCESS_CONTROL}#" \
+    -e "s#@AUTHZONE_INCLUDE@#${AUTHZONE_INCLUDE}#" \
     >/opt/unbound/etc/unbound/unbound.conf <<EOT
 server:
   verbosity: 1
   num-threads: @THREADS@
-  interface: 127.0.0.1@553
+@INTERFACES@
+@ACCESS_CONTROL@
   so-reuseport: yes
   edns-buffer-size: 1232
   delay-close: 10000
@@ -66,8 +100,6 @@ server:
   serve-expired: yes
   serve-expired-ttl: 86400
   serve-expired-ttl-reset: yes
-  access-control: 0.0.0.0/0 allow
-  access-control: ::0/0 allow
   tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
   aggressive-nsec: yes
   val-bogus-ttl: 600
@@ -138,6 +170,8 @@ auth-zone:
   for-downstream: no
   for-upstream: yes
   zonefile: "var/root.zone"
+
+@AUTHZONE_INCLUDE@
 EOT
 
 mkdir -p /opt/unbound/etc/unbound/dev &&