unbound: Implement setting qname minimisation into strict mode

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 755eac9af89739e1131a599fc315de1b785f8af0..ce51f63a0042d72a73cb0192826b1ed7b0fff05d 100644 (file)
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,7 @@ server:
        harden-algo-downgrade: no
        use-caps-for-id: yes
        aggressive-nsec: yes
+       qname-minimisation: yes
 
        # TLS
        tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 42470da05aab2520860b81a6ac94e9e53d8a6e9d..68309bbfdb5201c039777f8d5bf441e0ae0d8af5 100644 (file)
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -102,6 +102,13 @@ write_forward_conf() {
        (
                config_header
 
+               # Enable strict QNAME minimisation
+               if [ "${QNAME_MIN}" = "strict" ]; then
+                       echo "server:"
+                       echo "  qname-minimisation-strict: yes"
+                       echo
+               fi
+
                # Force using TCP for upstream servers only
                if [ "${PROTO}" = "TCP" ]; then
                        echo "# Force using TCP for upstream servers only"