plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

dns/bind: Fixup and feature expansion

Open benyamin-codez opened this issue 5 months ago • 12 comments

Updates dns/bind with the following fixes and feature expansions:

a) Fixes zone_test b) Fixes command truncation in grid-primary-domains c) General tab help expansion and reformatting d) General tab option grouping e) Converts NetworkType to ACLs where BIND uses Address Match Lists f) Reformats named.conf (spacing and layout) g) Adds listen-on-v6 { none; } when IPv6 is disabled (likely superfluous) h) Adds other rate-limiting options i) Adds recursion no; option for authoritative servers j) Adds allow-query-cache option as this also controls recursion k) Adds global forward only option to forwarders l) Adds forward only option to forward zones m) Edit Forward zone dialog help expansion and reformatting

benyamin-codez avatar Aug 13 '25 19:08 benyamin-codez

First cut, some more to do...

As mentioned in #4887 I wanted to make the builtin ACLs available, i.e. none, any, localhost and localnets. Those ACLs could then be selected in the other tabs as needed - notably in General. My initial thought was to overload the NetworkField type. However, an alternative might be to expand the model at mvc/app/models/OPNsense/Bind/Acl.xml... Is it possible to add static entries to the TextField type? Is there an example somewhere? I would then ignore these in named.conf (as they are builtin ACLs). iinm, the builtin ACLs would then become available to select in the ModelRelationField dropdowns.

Just doing some tidy up of the form(s) - mostly grouping and semantics - before diffing to extend the existing migration script at mvc/app/models/OPNsense/Bind/Migrations/M1_1_0.php. Will that run automagically on upgrade? My thoughts were that once the model is updated, the generated config will be updated accordingly. Does the migration script handle all those mechanics, i.e. does it run then apply / save on success, updating named.conf...?

I'd prefer to keep this squashed but can split it up if needed.

cc: @fichtner @mimugmail

benyamin-codez avatar Aug 13 '25 20:08 benyamin-codez

The following appears to be an orphan:

https://github.com/opnsense/plugins/blob/fb9748c06d9ae120016e88ed0b8dd1b418d20abe/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml#L14-L17

Absent objection, I might as well clean it up...

benyamin-codez avatar Aug 14 '25 07:08 benyamin-codez

Ok, I'm done with the form work.

I added forward only options, both globally and in forward zones too (per #4890).

I drew the line at adding DNSSEC zone signing for primary and secondary zones. Maybe later....

TODO:

  1. Access to builtin ACLs - none, any, localhost and localnets
  2. Migration script
  3. Splitting this PR as necessary

8^d

benyamin-codez avatar Aug 14 '25 07:08 benyamin-codez

Split into PR #4893:

a) Fixes zone_test b) Fixes command truncation in grid-primary-domains

benyamin-codez avatar Aug 14 '25 09:08 benyamin-codez

Have force-pushed a semantic edit to: dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml

benyamin-codez avatar Aug 14 '25 10:08 benyamin-codez

Split into PR #4894:

k) Adds global forward only option to forwarders l) Adds forward only option to forward zones m) Edit Forward zone dialog help expansion and reformatting

benyamin-codez avatar Aug 14 '25 10:08 benyamin-codez

Split into PR #4897:

i) Adds recursion no; option for authoritative servers j) Adds allow-query-cache option as this also controls recursion

benyamin-codez avatar Aug 15 '25 07:08 benyamin-codez

Split into PR #4901:

h) Adds other rate-limiting options

benyamin-codez avatar Aug 17 '25 03:08 benyamin-codez

Ok, the features and fixes have been split into new PRs. I avoided model migrations that might cause backwards compatibility issues.

I'll now work on other draft PRs to:

  1. Upgrade ACLs to be able to use builtin ACLs (none, any, localhost and localnets) in other tabs
  2. Migrate from IP Lists to ACLs (NetworkField type to ModelRelationField type) where relevant (General tab)
  3. Migrate the id for some fields to improve mnemonic semantics (General tab)
  4. Update migration script to facilitate above
  5. Implement further option grouping (General tab)
  6. Update help - including minor corrections (General tab)
  7. Reformat named.conf (spacing and layout)
  8. Adds listen-on-v6 { none; } to named.conf when IPv6 is disabled (likely superfluous)
  9. Remove enablerpz orphan from General model
  10. Bump model revision(s)

Edit: I think I'll split item (1) I would welcome advice as to whether I should split any other items out on their own. I see some value and relevance in keeping them squashed.

Here's a screen grab showing the General tab, sans help (click to zoom):

20250817_BIND_general_tab

When done, I will drop a pic of the proposed ACL tab.

Edit: Ok so I've split a bit off... And added a missing part...

benyamin-codez avatar Aug 17 '25 04:08 benyamin-codez

I've made some progress on making the builtin ACLs available. Had to pause to take care of a couple of other things... Of relevance here is this PR: https://github.com/acmesh-official/acme.sh/pull/6492

benyamin-codez avatar Aug 31 '25 17:08 benyamin-codez

I've raised PR #4926 to add the builtin ACLs. If/when that passes review I'll look at the migration work. 8^d

benyamin-codez avatar Sep 07 '25 06:09 benyamin-codez

@fichtner @mimugmail

Just wondering what you might need from me to move this series forward. The relevant PRs are:

  • #4894
  • #4897
  • #4901
  • #4926

Did you want me to do the migration work first? I had intended to include some orphan cleanup etc. with a subsequent bump after the above merged...

Let me know.

Cheers, Ben

benyamin-codez avatar Dec 11 '25 13:12 benyamin-codez