Project

General

Profile

Feature #16444 » granular-serve-expire-unbound-pfsense.patch

compatible with removal of drop old queries patch in newer pfsense code. - Chris Collins, 09/23/2025 11:52 PM

View differences:

/etc/inc/unbound.inc 2025-09-21 20:35:22.638223000 +0100
376 376
       $harden_dnssec_stripped = isset($unboundcfg['dnssecstripped']) ? "yes" : "no";
377 377
       $prefetch = isset($unboundcfg['prefetch']) ? "yes" : "no";
378 378
       $prefetch_key = isset($unboundcfg['prefetchkey']) ? "yes" : "no";
379
       $dns_record_cache = isset($unboundcfg['dnsrecordcache']) ? "yes" : "no";
379
        if (is_null($unboundcfg['dnsrecordcache']) || ($unboundcfg['dnsrecordcache'] == '0')) {
380
                $dns_record_cache = "no";
381
        } else {
382
                $dns_record_cache = "yes";
383
        }
384
        if ($unboundcfg['dnsrecordcache'] == '1') {
385
                $dns_record_cache_ttl = "serve-expired-client-timeout: 0";
386
        }
380 387
       $sock_queue_timeout = empty($unboundcfg['sock_queue_timeout']) ? '0' : $unboundcfg['sock_queue_timeout'];
381 388
       $aggressivensec = isset($unboundcfg['aggressivensec']) ? "yes" : "no";
382 389
       $outgoing_num_tcp = isset($unboundcfg['outgoing_num_tcp']) ? $unboundcfg['outgoing_num_tcp'] : "10";
......
531 538
prefetch-key: {$prefetch_key}
532 539
use-caps-for-id: {$use_caps}
533 540
serve-expired: {$dns_record_cache}
541
{$dns_record_cache_ttl}
534 542
# Not supported on FreeBSD. See https://redmine.pfsense.org/issues/16299
535 543
# sock-queue-timeout: {$sock_queue_timeout}
536 544
aggressive-nsec: {$aggressivensec}
537 545

  
538
-- /usr/local/www/services_unbound_advanced.php       2025-09-21 19:05:38.754169000 +0100
546
++ /usr/local/www/services_unbound_advanced.php 2025-09-21 20:43:39.841217000 +0100
......
49 49
$pconfig['prefetch'] = config_path_enabled('unbound', 'prefetch');
50 50
$pconfig['prefetchkey'] = config_path_enabled('unbound', 'prefetchkey');
51 51
$pconfig['dnssecstripped'] = config_path_enabled('unbound', 'dnssecstripped');
52
$pconfig['dnsrecordcache'] = config_path_enabled('unbound', 'dnsrecordcache');
52
$pconfig['dnsrecordcache'] = config_get_path('unbound/dnsrecordcache', 0);
53 53
$pconfig['sock_queue_timeout'] = config_get_path('unbound/sock_queue_timeout', 0);
54 54
$pconfig['aggressivensec'] = config_path_enabled('unbound', 'aggressivensec');
55 55

  
......
173 173
                       } else {
174 174
                               config_del_path('unbound/dnssecstripped');
175 175
                       }
176
                       if (isset($_POST['dnsrecordcache'])) {
177
                               config_set_path('unbound/dnsrecordcache', true);
178
                       } else {
179
                               config_del_path('unbound/dnsrecordcache');
180
                       }
176
                       config_set_path('unbound/dnsrecordcache', $_POST['dnsrecordcache']);
181 177
                       config_set_path('unbound/sock_queue_timeout', $_POST['sock_queue_timeout']);
182 178
                       if (isset($_POST['aggressivensec'])) {
183 179
                               config_set_path('unbound/aggressivensec', true);
......
315 311
       $pconfig['dnssecstripped']
316 312
))->setHelp('If such data is absent, the zone becomes bogus. If Disabled and no DNSSEC data is received, then the zone is made insecure. Requires DNSSEC enabled. ');
317 313

  
318
$section->addInput(new Form_Checkbox(
314
$section->addInput(new Form_Select(
319 315
       'dnsrecordcache',
320 316
       'Serve Expired',
321
       'Serve cache records even with TTL of 0',
322
       $pconfig['dnsrecordcache']
323
))->setHelp('When enabled, allows unbound to serve one query even with a TTL of 0, if TTL is 0 then new record will be requested in the background when the cache is served to ensure cache is updated without latency on service of the DNS request.');
317
       $pconfig['dnsrecordcache'],
318
       array_combine(array("0", "1", "2"), array("Off: Unbound Default", "Serve Expired/Stale - Old behaviour", "Serve Stale - RFC8767"))
319
))->setHelp('When enabled, allows unbound cache to serve one query even with a TTL of 0, if TTL is 0 then new record will be requested in the background when the cache is served to ensure cache is updated without latency on service of the DNS request.');
324 320

  
325 321
/* Not supported on FreeBSD. See https://redmine.pfsense.org/issues/16299
326 322
$section->addInput(new Form_Input(
(1-1/3)