[os-bind] #3650 - break-dnssec toggle needed for Enable filter-aaaa o…

…n IPv4/IPv6 clients (#3651) If DNSSEC validation is disabled, filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec instead of yes, then AAAA records will be omitted even if they are signed. See #3650
opnsense · Nov 6, 2023 · 8e57555 · 8e57555
1 parent 69bc636
commit 8e57555
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -73,13 +73,13 @@
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients</help>
+        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients</help>
+        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -222,10 +222,18 @@ logging {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
 plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v4 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v4 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v6 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v6 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
         filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };