From beebf925c38004d0703f8777a16f32adb9e1d8fa Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 7 Jan 2020 16:32:35 +0000
Subject: [PATCH] unbound: Implement setting qname minimisation into strict
 mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/unbound/unbound.conf    | 1 +
 src/initscripts/system/unbound | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 755eac9af8..ce51f63a00 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,7 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: yes
 	aggressive-nsec: yes
+	qname-minimisation: yes
 
 	# TLS
 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 42470da05a..68309bbfdb 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -102,6 +102,13 @@ write_forward_conf() {
 	(
 		config_header
 
+		# Enable strict QNAME minimisation
+		if [ "${QNAME_MIN}" = "strict" ]; then
+			echo "server:"
+			echo "	qname-minimisation-strict: yes"
+			echo
+		fi
+
 		# Force using TCP for upstream servers only
 		if [ "${PROTO}" = "TCP" ]; then
 			echo "# Force using TCP for upstream servers only"
-- 
2.39.5