upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-04-29 18:08:58 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[os-bind] #3650 - break-dnssec toggle needed for Enable filter-aaaa on IPv4/IPv6 clients (#3651)

Browse source 
If DNSSEC validation is disabled, filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec
instead of yes, then AAAA records will be omitted even if they are signed.

See https://github.com/opnsense/plugins/issues/3650
This commit is contained in:
doktornotor 2023-11-06 09:21:58 +01:00 committed by GitHub
parent 69bc636cd5
commit 8e57555345
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
View file

@ -73,13 +73,13 @@
<id>general.filteraaaav4</id>
<label>Enable filter-aaaa on IPv4 Clients</label>
<type>checkbox</type>
<help>This will filter AAAA records on IPv4 Clients</help>
<help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
</field>
<field>
<id>general.filteraaaav6</id>
<label>Enable filter-aaaa on IPv6 Clients</label>
<type>checkbox</type>
<help>This will filter AAAA records on IPv6 Clients</help>
<help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
</field>
<field>
<id>general.filteraaaaacl</id>

8
dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
View file

@ -222,10 +222,18 @@ logging {
{% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
plugin query "/usr/local/lib/bind/filter-aaaa.so" {
{% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
{% if OPNsense.bind.general.dnssecvalidation == 'no' %}
filter-aaaa-on-v4 break-dnssec;
{% else %}
filter-aaaa-on-v4 yes;
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
{% if OPNsense.bind.general.dnssecvalidation == 'no' %}
filter-aaaa-on-v6 break-dnssec;
{% else %}
filter-aaaa-on-v6 yes;
{% endif %}
{% endif %}
{% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
filter-aaaa { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };