Project

General

Profile

Download (4.12 KB)

Feature #16444 » granular-serve-expire-unbound-pfsense.patch

compatible with removal of drop old queries patch in newer pfsense code. - Chris Collins, 09/23/2025 11:52 PM

View differences:

/etc/inc/unbound.inc 2025-09-21 20:35:22.638223000 +0100
376 376 
       $harden_dnssec_stripped = isset($unboundcfg['dnssecstripped']) ? "yes" : "no";
377 377 
       $prefetch = isset($unboundcfg['prefetch']) ? "yes" : "no";
378 378 
       $prefetch_key = isset($unboundcfg['prefetchkey']) ? "yes" : "no";
379 
       $dns_record_cache = isset($unboundcfg['dnsrecordcache']) ? "yes" : "no";
379 
        if (is_null($unboundcfg['dnsrecordcache']) || ($unboundcfg['dnsrecordcache'] == '0')) {
380 
                $dns_record_cache = "no";
381 
        } else {
382 
                $dns_record_cache = "yes";
383 
        }
384 
        if ($unboundcfg['dnsrecordcache'] == '1') {
385 
                $dns_record_cache_ttl = "serve-expired-client-timeout: 0";
386 
        }
380 387 
       $sock_queue_timeout = empty($unboundcfg['sock_queue_timeout']) ? '0' : $unboundcfg['sock_queue_timeout'];
381 388 
       $aggressivensec = isset($unboundcfg['aggressivensec']) ? "yes" : "no";
382 389 
       $outgoing_num_tcp = isset($unboundcfg['outgoing_num_tcp']) ? $unboundcfg['outgoing_num_tcp'] : "10";
......
531 538 
prefetch-key: {$prefetch_key}
532 539 
use-caps-for-id: {$use_caps}
533 540 
serve-expired: {$dns_record_cache}
541 
{$dns_record_cache_ttl}
534 542 
# Not supported on FreeBSD. See https://redmine.pfsense.org/issues/16299
535 543 
# sock-queue-timeout: {$sock_queue_timeout}
536 544 
aggressive-nsec: {$aggressivensec}
537 545 

  		




  538
  
  
    
-- /usr/local/www/services_unbound_advanced.php       2025-09-21 19:05:38.754169000 +0100


  		




  
  546
  
    
++ /usr/local/www/services_unbound_advanced.php 2025-09-21 20:43:39.841217000 +0100


  		




  ......




  49
  49
  
    
$pconfig['prefetch'] = config_path_enabled('unbound', 'prefetch');


  		




  50
  50
  
    
$pconfig['prefetchkey'] = config_path_enabled('unbound', 'prefetchkey');


  		




  51
  51
  
    
$pconfig['dnssecstripped'] = config_path_enabled('unbound', 'dnssecstripped');


  		




  52
  
  
    
$pconfig['dnsrecordcache'] = config_path_enabled('unbound', 'dnsrecordcache');


  		




  
  52
  
    
$pconfig['dnsrecordcache'] = config_get_path('unbound/dnsrecordcache', 0);


  		




  53
  53
  
    
$pconfig['sock_queue_timeout'] = config_get_path('unbound/sock_queue_timeout', 0);


  		




  54
  54
  
    
$pconfig['aggressivensec'] = config_path_enabled('unbound', 'aggressivensec');


  		




  55
  55
  
    

  		




  ......




  173
  173
  
    
                       } else {


  		




  174
  174
  
    
                               config_del_path('unbound/dnssecstripped');


  		




  175
  175
  
    
                       }


  		




  176
  
  
    
                       if (isset($_POST['dnsrecordcache'])) {


  		




  177
  
  
    
                               config_set_path('unbound/dnsrecordcache', true);


  		




  178
  
  
    
                       } else {


  		




  179
  
  
    
                               config_del_path('unbound/dnsrecordcache');


  		




  180
  
  
    
                       }


  		




  
  176
  
    
                       config_set_path('unbound/dnsrecordcache', $_POST['dnsrecordcache']);


  		




  181
  177
  
    
                       config_set_path('unbound/sock_queue_timeout', $_POST['sock_queue_timeout']);


  		




  182
  178
  
    
                       if (isset($_POST['aggressivensec'])) {


  		




  183
  179
  
    
                               config_set_path('unbound/aggressivensec', true);


  		




  ......




  315
  311
  
    
       $pconfig['dnssecstripped']


  		




  316
  312
  
    
))->setHelp('If such data is absent, the zone becomes bogus. If Disabled and no DNSSEC data is received, then the zone is made insecure. Requires DNSSEC enabled. ');


  		




  317
  313
  
    

  		




  318
  
  
    
$section->addInput(new Form_Checkbox(


  		




  
  314
  
    
$section->addInput(new Form_Select(


  		




  319
  315
  
    
       'dnsrecordcache',


  		




  320
  316
  
    
       'Serve Expired',


  		




  321
  
  
    
       'Serve cache records even with TTL of 0',


  		




  322
  
  
    
       $pconfig['dnsrecordcache']


  		




  323
  
  
    
))->setHelp('When enabled, allows unbound to serve one query even with a TTL of 0, if TTL is 0 then new record will be requested in the background when the cache is served to ensure cache is updated without latency on service of the DNS request.');


  		




  
  317
  
    
       $pconfig['dnsrecordcache'],


  		




  
  318
  
    
       array_combine(array("0", "1", "2"), array("Off: Unbound Default", "Serve Expired/Stale - Old behaviour", "Serve Stale - RFC8767"))


  		




  
  319
  
    
))->setHelp('When enabled, allows unbound cache to serve one query even with a TTL of 0, if TTL is 0 then new record will be requested in the background when the cache is served to ensure cache is updated without latency on service of the DNS request.');


  		




  324
  320
  
    

  		




  325
  321
  
    
/* Not supported on FreeBSD. See https://redmine.pfsense.org/issues/16299


  		




  326
  322
  
    
$section->addInput(new Form_Input(

  		















  (1-1/3)