From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 5 Mar 2019 16:58:29 +0000 (+0000)
Subject: unbound: Mark domains as insecure from DNS forwarding
X-Git-Tag: v2.23-core131~132^2
X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=1ececb67a1f83dd931e31d66893893ce542d0814

unbound: Mark domains as insecure from DNS forwarding

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 2ef994e963..af9bcef73c 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -197,8 +197,8 @@ write_forward_conf() {
 
 		local insecure_zones="${INSECURE_ZONES}"
 
-		local enabled zone server servers remark
-		while IFS="," read -r enabled zone servers remark; do
+		local enabled zone server servers remark disable_dnssec rest
+		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
 			# Line must be enabled.
 			[ "${enabled}" = "on" ] || continue
 
@@ -208,6 +208,11 @@ write_forward_conf() {
 				*.local)
 					insecure_zones="${insecure_zones} ${zone}"
 					;;
+				*)
+					if [ "${disable_dnssec}" = "on" ]; then
+						insecure_zones="${insecure_zones} ${zone}"
+					fi
+					;;
 			esac
 
 			# Reverse-lookup zones must be stubs