From 7fcbc016da85972e5cf2b77fef187afd18ba2bdc Mon Sep 17 00:00:00 2001
From: nnduc <nnduc@home>
Date: Thu, 19 Mar 2026 21:58:14 +0700
Subject: [PATCH] remove ipv6

---
 unbound.sh | 78 ++++++++++++++++++++++++++++++------------------------
 1 file changed, 44 insertions(+), 34 deletions(-)

diff --git a/unbound.sh b/unbound.sh
index 558ba4a..908b4d3 100644
--- a/unbound.sh
+++ b/unbound.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 set -e
 
+# ─────────────────────────────────────────────
+# Unbound setup script (no package installation)
 # ─────────────────────────────────────────────
 
 RED='\033[0;31m'
@@ -23,16 +25,12 @@ if ! command -v unbound &>/dev/null; then
     error "unbound is not installed. Install it first:\n  apt install unbound  /  dnf install unbound  /  pacman -S unbound"
 fi
 
-if ! command -v unbound-anchor &>/dev/null; then
-    error "unbound-anchor not found. Make sure the full unbound package is installed."
-fi
-
 # ── Variables ───────────────────────────────
 UNBOUND_DIR="/var/lib/unbound"
 CONF_DIR="/etc/unbound/unbound.conf.d"
 CONF_FILE="$CONF_DIR/personal.conf"
+MAIN_CONF="/etc/unbound/unbound.conf"
 ROOT_HINTS="$UNBOUND_DIR/root.hints"
-ROOT_KEY="$UNBOUND_DIR/root.key"
 ROOT_HINTS_URL="https://www.internic.net/domain/named.root"
 
 # ── Create directories ───────────────────────
@@ -51,29 +49,49 @@ else
 fi
 success "Root hints downloaded"
 
-# ── Initialize DNSSEC anchor ─────────────────
-info "Initializing DNSSEC trust anchor..."
-unbound-anchor -a "$ROOT_KEY" || warn "unbound-anchor returned non-zero (this can be normal if key already exists)"
-success "DNSSEC anchor initialized"
-
 # ── Fix ownership ─────────────────────────────
 info "Setting permissions..."
 chown -R unbound:unbound "$UNBOUND_DIR" 2>/dev/null || warn "Could not chown $UNBOUND_DIR (unbound user may not exist)"
 
-# ── Write config ──────────────────────────────
+# ── Patch main config ─────────────────────────
+info "Patching main config..."
+
+# Disable any active trust-anchor-file (causes SERVFAIL without valid key)
+sed -i 's|^[[:space:]]*trust-anchor-file:|#	trust-anchor-file:|g' "$MAIN_CONF"
+
+# Disable validator module if explicitly set
+sed -i 's|^[[:space:]]*module-config:.*validator.*|# & # disabled by setup script|g' "$MAIN_CONF"
+
+# Add include for conf.d if not already present
+if ! grep -q 'unbound.conf.d' "$MAIN_CONF"; then
+    echo 'include: "/etc/unbound/unbound.conf.d/*.conf"' >> "$MAIN_CONF"
+    success "Added include for conf.d"
+fi
+
+# ── Write personal config ─────────────────────
 info "Writing config to $CONF_FILE..."
-cat > "$CONF_FILE" <<'EOF'
+cat > "$CONF_FILE" <<EOF
 server:
+    # Disable chroot so paths work correctly
+    chroot: ""
+
+    # No DNSSEC validation — iterator only
+    module-config: "iterator"
+
+    # IPv4 only (IPv6 root servers unreachable on many setups)
+    do-ip6: no
+
     # Listen on localhost only
     interface: 127.0.0.1
-    interface: ::1
     port: 53
 
     # Allow only localhost
     access-control: 127.0.0.0/8 allow
-    access-control: ::1/128 allow
     access-control: 0.0.0.0/0 refuse
 
+    # Root hints
+    root-hints: "$ROOT_HINTS"
+
     # Performance
     num-threads: 2
     cache-min-ttl: 300
@@ -86,13 +104,6 @@ server:
     hide-identity: yes
     hide-version: yes
     qname-minimisation: yes
-    aggressive-nsec: yes
-
-    # DNSSEC
-    auto-trust-anchor-file: "/var/lib/unbound/root.key"
-
-    # Root hints
-    root-hints: "/var/lib/unbound/root.hints"
 
     # Prefetch popular records before they expire
     prefetch: yes
@@ -106,28 +117,23 @@ success "Config written"
 
 # ── Validate config ───────────────────────────
 info "Validating config..."
-if unbound-checkconf "$CONF_FILE" &>/dev/null; then
+if unbound-checkconf "$MAIN_CONF" &>/dev/null; then
     success "Config is valid"
 else
-    warn "Config check failed, trying full config..."
-    if unbound-checkconf /etc/unbound/unbound.conf; then
-        success "Full config is valid"
-    else
-        error "Config validation failed. Run: unbound-checkconf /etc/unbound/unbound.conf"
-    fi
+    unbound-checkconf "$MAIN_CONF" || error "Config validation failed — see above"
 fi
 
 # ── Enable and restart service ────────────────
 info "Enabling and restarting unbound..."
 systemctl enable unbound
 systemctl restart unbound
-
 sleep 1
 
 if systemctl is-active --quiet unbound; then
     success "unbound is running"
 else
-    error "unbound failed to start. Check: journalctl -u unbound -n 30"
+    journalctl -u unbound -n 20 --no-pager
+    error "unbound failed to start — see logs above"
 fi
 
 # ── Verify DNS resolution ─────────────────────
@@ -137,7 +143,12 @@ sleep 1
 if dig @127.0.0.1 google.com +short &>/dev/null; then
     success "DNS resolution works"
 else
-    warn "dig test failed — try manually: dig @127.0.0.1 google.com"
+    warn "dig test failed — unbound may need a forwarder"
+    warn "Try manually: dig @127.0.0.1 google.com"
+    warn "If it fails, add a forwarder to $CONF_FILE:"
+    warn "  forward-zone:"
+    warn "      name: \".\""
+    warn "      forward-addr: 1.1.1.1"
 fi
 
 # ── Done ──────────────────────────────────────
@@ -148,12 +159,11 @@ echo -e "${GREEN}═════════════════════
 echo ""
 echo "  Verify with:"
 echo "    dig @127.0.0.1 google.com"
-echo "    dig @127.0.0.1 google.com +dnssec   # look for 'ad' flag"
-echo "    dig @127.0.0.1 sigfail.verteiltesysteme.net  # should be SERVFAIL"
+echo "    dig @127.0.0.1 google.com | grep 'Query time'  # run twice, 2nd should be 0ms"
 echo ""
 echo "  To use as system resolver, add to /etc/resolv.conf:"
 echo "    nameserver 127.0.0.1"
 echo ""
 echo "  Or in WireGuard [Interface]:"
 echo "    DNS = 127.0.0.1"
-echo ""
+echo ""
\ No newline at end of file