From c7e41255bb37b9bbc4da6f8631283ec0b048c39f Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 11 Feb 2018 17:43:43 +0000
Subject: [PATCH] unbound: Fix reverse lookup zones

These should be stubs and overlay the internal zones that
unbound comes with.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11625
---
 src/initscripts/system/unbound | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 4e7e63e5fa..a46999992a 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -210,10 +210,24 @@ write_forward_conf() {
 					;;
 			esac
 
-			echo "forward-zone:"
-			echo "	name: ${zone}"
-			echo "	forward-addr: ${server}"
-			echo
+			# Reverse-lookup zones must be stubs
+			case "${zone}" in
+				*.in-addr.arpa)
+					echo "stub-zone:"
+					echo "	name: ${zone}."
+					echo "	stub-addr: ${server}"
+					echo
+					echo "server:"
+					echo "	local-zone: \"${zone}.\" transparent"
+					echo
+					;;
+				*)
+					echo "forward-zone:"
+					echo "	name: ${zone}."
+					echo "	forward-addr: ${server}"
+					echo
+					;;
+			esac
 		done < /var/ipfire/dnsforward/config
 
 		if [ -n "${insecure_zones}" ]; then
-- 
2.39.2