unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files
index b03a86ed779f1d6161ce0df35077e4eb6542755c..1dc0a350d2447d05388051a14201b8f245faf1d4 100644 (file)
--- a/config/rootfiles/core/107/filelists/files
+++ b/config/rootfiles/core/107/filelists/files
@@ -1,5 +1,6 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/traffic.cgi
 var/ipfire/langs

diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 4e424775edf1f221b354f790c5139de9f2a071e1..a7952fc1cc706d20b77c34b1c7defe34462075ae 100644 (file)
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -168,16 +168,34 @@ write_forward_conf() {
        (
                config_header
 
+               local insecure_zones
+
                local enabled zone server remark
                while IFS="," read -r enabled zone server remark; do
                        # Line must be enabled.
                        [ "${enabled}" = "on" ] || continue
 
+                       # Zones that end with .local are commonly used for internal
+                       # zones and therefore not signed
+                       case "${zone}" in
+                               *.local)
+                                       insecure_zones="${insecure_zones} ${zone}"
+                                       ;;
+                       esac
+
                        echo "forward-zone:"
                        echo "  name: ${zone}"
                        echo "  forward-addr: ${server}"
                        echo
                done < /var/ipfire/dnsforward/config
+
+               if [ -n "${insecure_zones}" ]; then
+                       echo "server:"
+
+                       for zone in ${insecure_zones}; do
+                               echo "  domain-insecure: ${zone}"
+                       done
+               fi
        ) > /etc/unbound/forward.conf
 }