From a6dcc5bb77760d887f1bee7271590b78437b85f4 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 2 Nov 2016 15:42:40 +0000 Subject: [PATCH] unbound: Fix for DNS forwarding of .local zones These are traditionally used for Windows domains and should not be used for that. However if they are used like this, DNSSEC validation cannot be used. Signed-off-by: Michael Tremer --- config/rootfiles/core/107/filelists/files | 1 + src/initscripts/init.d/unbound | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files index b03a86ed77..1dc0a350d2 100644 --- a/config/rootfiles/core/107/filelists/files +++ b/config/rootfiles/core/107/filelists/files @@ -1,5 +1,6 @@ etc/system-release etc/issue +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/traffic.cgi var/ipfire/langs diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound index 4e424775ed..a7952fc1cc 100644 --- a/src/initscripts/init.d/unbound +++ b/src/initscripts/init.d/unbound @@ -168,16 +168,34 @@ write_forward_conf() { ( config_header + local insecure_zones + local enabled zone server remark while IFS="," read -r enabled zone server remark; do # Line must be enabled. [ "${enabled}" = "on" ] || continue + # Zones that end with .local are commonly used for internal + # zones and therefore not signed + case "${zone}" in + *.local) + insecure_zones="${insecure_zones} ${zone}" + ;; + esac + echo "forward-zone:" echo " name: ${zone}" echo " forward-addr: ${server}" echo done < /var/ipfire/dnsforward/config + + if [ -n "${insecure_zones}" ]; then + echo "server:" + + for zone in ${insecure_zones}; do + echo " domain-insecure: ${zone}" + done + fi ) > /etc/unbound/forward.conf } -- 2.39.2