From 960be1a65834aec8fb1e613e99f75cb844a64997 Mon Sep 17 00:00:00 2001
From: Stanislas Lange <git@slange.me>
Date: Thu, 4 Dec 2025 18:08:09 +0100
Subject: [PATCH] security: add validation for root.hints download

Verify that the downloaded root.hints file is not empty and contains
expected DNS root server content before using it.
---
 openvpn-install.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 5c1f8b0..5feccfa 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -147,6 +147,12 @@ prefetch: yes' >>/etc/unbound/unbound.conf
 
 			# Get root servers list
 			curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
+			# Verify download was successful and file contains expected content
+			if [[ ! -s /etc/unbound/root.hints ]] || ! grep -q "ROOT-SERVERS" /etc/unbound/root.hints; then
+				echo "Failed to download root.hints or file is invalid!"
+				rm -f /etc/unbound/root.hints
+				exit 1
+			fi
 
 			if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
 				mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old