From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 Jan 2020 16:32:35 +0000 (+0000)
Subject: unbound: Implement setting qname minimisation into strict mode
X-Git-Tag: v2.25-core141~70^2~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=beebf925c38004d0703f8777a16f32adb9e1d8fa;p=ipfire-2.x.git

unbound: Implement setting qname minimisation into strict mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 755eac9af8..ce51f63a00 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,7 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: yes
 	aggressive-nsec: yes
+	qname-minimisation: yes
 
 	# TLS
 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 42470da05a..68309bbfdb 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -102,6 +102,13 @@ write_forward_conf() {
 	(
 		config_header
 
+		# Enable strict QNAME minimisation
+		if [ "${QNAME_MIN}" = "strict" ]; then
+			echo "server:"
+			echo "	qname-minimisation-strict: yes"
+			echo
+		fi
+
 		# Force using TCP for upstream servers only
 		if [ "${PROTO}" = "TCP" ]; then
 			echo "# Force using TCP for upstream servers only"