This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via beac5489627eafefcc6dd3adabfd1c74ffacc4d0 (commit) via e26e86dcaa2b35d7e6500c088d4f2afba4c4ddd8 (commit) via 56947acb12176f397cbd5078c5544cdc4f19b27b (commit) via 1ececb67a1f83dd931e31d66893893ce542d0814 (commit) via 025d8e63185e49d252ee6abb37008c8e5c26bf6b (commit) from f1042a5d4401ff6feb16eb18f1fcd48936e8c878 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit beac5489627eafefcc6dd3adabfd1c74ffacc4d0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:58:45 2019 +0000
Update list of contributors
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e26e86dcaa2b35d7e6500c088d4f2afba4c4ddd8 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:58:04 2019 +0000
core129: Ship updated dnsforward.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 56947acb12176f397cbd5078c5544cdc4f19b27b Merge: f1042a5d4 1ececb67a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 11 15:57:15 2019 +0000
Merge remote-tracking branch 'ms/dns-forwarding' into next
commit 1ececb67a1f83dd931e31d66893893ce542d0814 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 16:58:29 2019 +0000
unbound: Mark domains as insecure from DNS forwarding
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 025d8e63185e49d252ee6abb37008c8e5c26bf6b Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 5 16:10:17 2019 +0000
DNS Forwarding: Add UI to Allow to disable DNSSEC for a zone
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/129/filelists/files | 2 ++ doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 ++ doc/language_issues.it | 2 ++ doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 ++ doc/language_missings | 14 +++++++++++ html/cgi-bin/credits.cgi | 3 ++- html/cgi-bin/dnsforward.cgi | 40 +++++++++++++++++++++++++++---- langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ src/initscripts/system/unbound | 9 +++++-- 15 files changed, 81 insertions(+), 7 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/129/filelists/files b/config/rootfiles/core/129/filelists/files index 3ab81b796..8e040cbbb 100644 --- a/config/rootfiles/core/129/filelists/files +++ b/config/rootfiles/core/129/filelists/files @@ -4,8 +4,10 @@ var/ipfire/langs etc/rc.d/init.d/firewall etc/rc.d/init.d/network etc/rc.d/init.d/networking/red.up/50-ipsec +etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/netovpnsrv.cgi srv/web/ipfire/cgi-bin/proxy.cgi diff --git a/doc/language_issues.en b/doc/language_issues.en index 4af86025f..5a3012207 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -606,6 +606,8 @@ WARNING: untranslated string: dns desc = If the red0 interface gets the IP addre WARNING: untranslated string: dns error 0 = The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid. WARNING: untranslated string: dns error 01 = The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries! WARNING: untranslated string: dns error 1 = The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid. +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns header = Assign DNS server addresses only for DHCP on red0 WARNING: untranslated string: dns list = List of free public DNS servers WARNING: untranslated string: dns menu = Assign DNS-Server diff --git a/doc/language_issues.es b/doc/language_issues.es index d1a593566..d8b49f918 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -778,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.fr b/doc/language_issues.fr index ded039f5a..37b43569c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -772,6 +772,8 @@ WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 7c465aae6..c2b0b2327 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -798,6 +798,8 @@ WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: eight hours = 8 Hours diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 2ed6e3d85..46d923fe5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -801,6 +801,8 @@ WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec aware = DNSSEC Aware diff --git a/doc/language_issues.pl b/doc/language_issues.pl index d1a593566..d8b49f918 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -778,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 2f0b4d9e8..1286bcd87 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -782,6 +782,8 @@ WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: disk access per = Disk Access per WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c6fb9f255..0e95d6045 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -775,6 +775,8 @@ WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwhost cust geoipgrp = unknown string diff --git a/doc/language_missings b/doc/language_missings index 4d0499960..12ef6e673 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -210,9 +210,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -803,6 +805,8 @@ ############################################################################ < cryptographic settings < default IP address +< dns forward disable dnssec +< dns forwarding dnssec disabled notice < interface mode < invalid input for interface address < invalid input for interface mode @@ -898,7 +902,9 @@ < dhcp dns update algo < dhcp dns update secret < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec disabled warning < eight hours < email config @@ -1141,7 +1147,9 @@ < dh name is invalid < dh parameter < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec aware < dnssec disabled warning < dnssec information @@ -1501,9 +1509,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -2235,9 +2245,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -2820,7 +2832,9 @@ < cryptographic settings < crypto warning < default IP address +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < fwdfw all subnets < interface mode < invalid input for interface address diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 6770cc5a4..e687c9559 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -92,10 +92,10 @@ Ronald Wiesinger, Stephan Feddersen, Justin Luth, Michael Eitelwein, +Stéphane Pautrel, Bernhard Bitsch, Dominik Hassler, Larsen, -Stéphane Pautrel, Gabriel Rolland, Anton D. Seliverstov, Bernhard Bittner, @@ -105,6 +105,7 @@ Jakub Ratajczak, Jorrit de Jonge, Jörn-Ingo Weigert, Przemek Zdroik, +Alexander Koch, Alexander Rudolf Gruber, Andrew Bellows, Axel Gembe, diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 0439817b9..d9807c90e 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -52,6 +52,7 @@ $cgiparams{'ACTION'} = ''; $cgiparams{'ZONE'} = ''; $cgiparams{'FORWARD_SERVERS'} = ''; $cgiparams{'REMARK'} =''; +$cgiparams{'DISABLE_DNSSEC'} = 'off'; &Header::getcgihash(%cgiparams); open(FILE, $filename) or die 'Unable to open config file.'; my @current = <FILE>; @@ -76,6 +77,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) } }
+ if ($cgiparams{'DISABLE_DNSSEC'} !~ /^(on|off)?$/) { + $errormessage = $Lang::tr{'invalid input'}; + } + # Go further if there was no error. if ( ! $errormessage) { @@ -85,11 +90,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) # Check if a remark has been entered. $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+ # Set to off if not enabled + if (!$cgiparams{'DISABLE_DNSSEC'}) { + $cgiparams{'DISABLE_DNSSEC'} = "off"; + } + # Check if we want to edit an existing or add a new entry. if($cgiparams{'EDITING'} eq 'no') { open(FILE,">>$filename") or die 'Unable to open config file.'; flock FILE, 2; - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { open(FILE, ">$filename") or die 'Unable to open config file.'; flock FILE, 2; @@ -98,7 +108,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) { $id++; if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { print FILE "$line"; } } } @@ -151,7 +161,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { chomp($line); my @temp = split(/,/,$line); - print FILE "$cgiparams{'ENABLE'},$temp[1],$temp[2],$temp[3]\n"; + + $temp[0] = $cgiparams{'ENABLE'}; + + print FILE join(",", @temp) . "\n"; } } close(FILE); @@ -176,6 +189,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) $cgiparams{'ZONE'} = $temp[1]; $cgiparams{'FORWARD_SERVERS'} = join(",", split(/|/, $temp[2])); $cgiparams{'REMARK'} = $temp[3]; + $cgiparams{'DISABLE_DNSSEC'} = $temp[4]; } } } @@ -184,6 +198,10 @@ $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'";
+$checked{'DISABLE_DNSSEC'}{'off'} = ''; +$checked{'DISABLE_DNSSEC'}{'on'} = ''; +$checked{'DISABLE_DNSSEC'}{$cgiparams{'DISABLE_DNSSEC'}} = "checked='checked'"; + &Header::openpage($Lang::tr{'dnsforward configuration'}, 1, '');
&Header::openbigbox('100%', 'left', '', $errormessage); @@ -230,6 +248,10 @@ print <<END <td width ='20%' class='base'>$Lang::tr{'remark'}:</td> <td><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='40' maxlength='50' /></td> </tr> + <tr> + <td width ='20%' class='base'>$Lang::tr{'dns forward disable dnssec'}:</td> + <td><input type='checkbox' name='DISABLE_DNSSEC' $checked{'DISABLE_DNSSEC'}' /></td> + </tr> </table> <br> <hr> @@ -291,13 +313,19 @@ foreach my $line (@current) my $gif = ''; my $gdesc = ''; my $toggle = ''; + my $notice = "";
# Format lists of servers my $servers = join(", ", split(/|/, $temp[2]));
+ my $disable_dnssec = $temp[4]; + if($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { print "<tr>"; $col="bgcolor='${Header::colouryellow}'"; } + elsif ($disable_dnssec eq 'on') { + print "<tr>"; + $col="bgcolor='${Header::colourred}' style='color: white'"; } elsif ($id % 2) { print "<tr>"; $col="bgcolor='$color{'color22'}'"; } @@ -308,11 +336,15 @@ foreach my $line (@current) if ($temp[0] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} else { $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; }
+ if ($disable_dnssec eq "on") { + $notice = $Lang::tr{'dns forwarding dnssec disabled notice'}; + } + ### # Display edit page. # print <<END - <td align='center' $col>$temp[1]</td> + <td align='center' $col>$temp[1] $notice</td> <td align='center' $col>$servers</td> <td align='center' $col>$temp[3]</td> <td align='center' $col> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cf33567a1..ce7090c39 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -805,6 +805,8 @@ 'dns error 0' => 'Die IP Adresse vom <strong>primären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>sekundären</strong> DNS Server Adresse ist jedoch gültig.<br />', 'dns error 01' => 'Die eingegebene IP Adresse des <strong>primären</strong> wie auch des <strong>sekundären</strong> DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom <strong>sekundären</strong> DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!<br />Die eingegebene <strong>primäre</strong> DNS Server Adresse ist jedoch gültig.', +'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', +'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', 'dns list' => 'Liste von freien öffentlichen DNS Servern', 'dns menu' => 'DNS-Server zuweisen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4f4b4d9c1..7697dc202 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -832,6 +832,8 @@ 'dns error 0' => 'The IP address of the <strong>primary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>secondary</strong> DNS server address is valid.', 'dns error 01' => 'The entered IP address of the <strong>primary</strong> and <strong>secondary</strong> DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the <strong>secondary</strong> DNS server is not valid, please check your entries!<br />The entered <strong>primary</strong> DNS server address is valid.', +'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', +'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', 'dns list' => 'List of free public DNS servers', 'dns menu' => 'Assign DNS-Server', diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index 2ef994e96..af9bcef73 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -197,8 +197,8 @@ write_forward_conf() {
local insecure_zones="${INSECURE_ZONES}"
- local enabled zone server servers remark - while IFS="," read -r enabled zone servers remark; do + local enabled zone server servers remark disable_dnssec rest + while IFS="," read -r enabled zone servers remark disable_dnssec rest; do # Line must be enabled. [ "${enabled}" = "on" ] || continue
@@ -208,6 +208,11 @@ write_forward_conf() { *.local) insecure_zones="${insecure_zones} ${zone}" ;; + *) + if [ "${disable_dnssec}" = "on" ]; then + insecure_zones="${insecure_zones} ${zone}" + fi + ;; esac
# Reverse-lookup zones must be stubs
hooks/post-receive -- IPFire 2.x development tree