From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/2] unbound: Mark domains as insecure from DNS forwarding
Date: Tue, 05 Mar 2019 16:59:09 +0000
Message-ID: <20190305165909.25087-2-michael.tremer@ipfire.org>
In-Reply-To: <20190305165909.25087-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3843526667818409816=="
List-Id: <development.lists.ipfire.org>

--===============3843526667818409816==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 src/initscripts/system/unbound | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 2ef994e96..af9bcef73 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -197,8 +197,8 @@ write_forward_conf() {
 
 		local insecure_zones="${INSECURE_ZONES}"
 
-		local enabled zone server servers remark
-		while IFS="," read -r enabled zone servers remark; do
+		local enabled zone server servers remark disable_dnssec rest
+		while IFS="," read -r enabled zone servers remark disable_dnssec rest; do
 			# Line must be enabled.
 			[ "${enabled}" = "on" ] || continue
 
@@ -208,6 +208,11 @@ write_forward_conf() {
 				*.local)
 					insecure_zones="${insecure_zones} ${zone}"
 					;;
+				*)
+					if [ "${disable_dnssec}" = "on" ]; then
+						insecure_zones="${insecure_zones} ${zone}"
+					fi
+					;;
 			esac
 
 			# Reverse-lookup zones must be stubs
-- 
2.12.2


--===============3843526667818409816==--