From 387fc592d7cbd68c8cc9d82faea0ff66800038ec Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Mon, 26 Feb 2024 11:57:01 +0300
Subject: [PATCH] uinbound: aggressive-nsec switch (#7281)
---
.../controllers/OPNsense/Unbound/forms/advanced.xml | 10 ++++++++++
.../mvc/app/models/OPNsense/Unbound/Unbound.xml | 6 +++++-
.../templates/OPNsense/Unbound/core/advanced.conf | 1 +
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
index 456af5040..99634be82 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/advanced.xml
@@ -33,6 +33,16 @@
If this is disabled and no DNSSEC data is received, then the zone is made insecure.
+
+ unbound.advanced.aggressivensec
+
+ checkbox
+
+ Enable RFC8198-based aggressive use of the DNSSEC-Validated cache.
+ Helps to reduce the query rate towards targets but may lead to false negative responses
+ if there are errors in the zone config.
+
+
unbound.advanced.qnameminstrict
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 0b962e878..fdc6922a3 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
//OPNsense/unboundplus
Unbound configuration
- 1.0.8
+ 1.0.9
@@ -61,6 +61,10 @@
+
+ Y
+ 1
+
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
index 360351c88..bb2bb66e6 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/advanced.conf
@@ -11,6 +11,7 @@ hide-version: {{ set_boolean(OPNsense.unboundplus.advanced.hideversion) }}
prefetch: {{ set_boolean(OPNsense.unboundplus.advanced.prefetch) }}
prefetch-key: {{ set_boolean(OPNsense.unboundplus.advanced.prefetchkey) }}
harden-dnssec-stripped: {{ set_boolean(OPNsense.unboundplus.advanced.dnssecstripped) }}
+aggressive-nsec: {{ set_boolean(OPNsense.unboundplus.advanced.aggressivensec) }}
serve-expired: {{ set_boolean(OPNsense.unboundplus.advanced.serveexpired) }}
{{ set_numeric_value('serve-expired-reply-ttl', OPNsense.unboundplus.advanced.serveexpiredreplyttl) }}
{{ set_numeric_value('serve-expired-ttl', OPNsense.unboundplus.advanced.serveexpiredttl) }}