RPZ policy for unbound - transform RPZ zone into local zone statements

rpz_unbound.sh

#!/bin/bash

RPZ_ZONE="rpz.cesnet.cz"
RPZ_SERVER="nsa.cesnet.cz"
OUTPUT_FILE="unbound_$RPZ_ZONE.conf"


function resolve_target() {
        local domain="$1"
        shift
        local target=$@
        dig +noauthority +noadditional +noquestion $target | sed -rn 's_^.*(\s+IN\s+A(AAA)?\s+.*)$_'$domain'\1_p'
}

function get_local_data() {
        while read domain target; do
                if [[ "${target}" = "." ]]; then #just block - we do nothing
                        echo -e "$domain\tIN\tCNAME\t$target"
                else #try to resolve the target
                        resolve_target "${domain}" "${target}" -t A
                        resolve_target "${domain}" "${target}" -t AAAA
                fi
        done
}

set -e
rawrpz=$(dig -t axfr "$RPZ_ZONE" @"$RPZ_SERVER")
rpz=$(sed -rn 's_^(.*)\.'"$RPZ_ZONE"'\.\s.*IN\s+CNAME\s+(.*)$_\1\t\2_p' <<<"$rawrpz")
local_data=$(get_local_data <<<"$rpz")

echo "server:" > "${OUTPUT_FILE}"
while read line; do
        [[ -n "$line" ]] && \
                echo -e "\tlocal-data: \"$line\"" >> "${OUTPUT_FILE}"
done <<< "${local_data}"

For anyone arriving here, Unbound now supports RPZ directly.