uinbound: aggressive-nsec switch (#7281)

2026-03-17 18:14:42 +00:00 · 2024-02-26 11:57:01 +03:00 · 2024-02-26 11:57:01 +03:00 · 387fc592d7
commit 387fc592d7
parent 668a057dac
3 changed files with 16 additions and 1 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
@ -33,6 +33,16 @@
            If this is disabled and no DNSSEC data is received, then the zone is made insecure.
        </help>
    </field>
+    <field>
+        <id>unbound.advanced.aggressivensec</id>
+        <label>Aggressive NSEC</label>
+        <type>checkbox</type>
+        <help>
+            Enable RFC8198-based aggressive use of the DNSSEC-Validated cache.
+            Helps to reduce the query rate towards targets but may lead to false negative responses
+            if there are errors in the zone config.
+        </help>
+    </field>
    <field>
        <id>unbound.advanced.qnameminstrict</id>
        <label>Strict QNAME Minimisation</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@ -1,7 +1,7 @@
 <model>
    <mount>//OPNsense/unboundplus</mount>
    <description>Unbound configuration</description>
-    <version>1.0.8</version>
+    <version>1.0.9</version>
    <items>
        <general>
            <enabled type="BooleanField">
@ -61,6 +61,10 @@
            <prefetch type="BooleanField"/>
            <prefetchkey type="BooleanField"/>
            <dnssecstripped type="BooleanField"/>
+            <aggressivensec type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </aggressivensec>
            <serveexpired type="BooleanField"/>
            <serveexpiredreplyttl type="NumericField"/>
            <serveexpiredttl type="NumericField"/>
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
@ -11,6 +11,7 @@ hide-version: {{ set_boolean(OPNsense.unboundplus.advanced.hideversion) }}
 prefetch: {{ set_boolean(OPNsense.unboundplus.advanced.prefetch) }}
 prefetch-key: {{ set_boolean(OPNsense.unboundplus.advanced.prefetchkey) }}
 harden-dnssec-stripped: {{ set_boolean(OPNsense.unboundplus.advanced.dnssecstripped) }}
+aggressive-nsec: {{ set_boolean(OPNsense.unboundplus.advanced.aggressivensec) }}
 serve-expired: {{ set_boolean(OPNsense.unboundplus.advanced.serveexpired) }}
 {{ set_numeric_value('serve-expired-reply-ttl', OPNsense.unboundplus.advanced.serveexpiredreplyttl) }}
 {{ set_numeric_value('serve-expired-ttl', OPNsense.unboundplus.advanced.serveexpiredttl) }}