aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/bind/bind.inc164
-rw-r--r--config/bind/bind.xml29
-rw-r--r--config/bind/bind_zones.xml27
3 files changed, 171 insertions, 49 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 66b16464..167f0af3 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -56,16 +56,6 @@ function bind_zone_validate($post, &$input_errors)
}
switch ($_POST['type']) {
- case 'slave':
- if ($_POST['slaveip'] == "") {
- $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.';
- }
- break;
- case 'forward':
- if ($_POST['forwarders'] == "") {
- $input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
- }
- break;
case 'redirect':
$_POST['tll'] = 300;
$_POST['refresh'] = 0;
@@ -76,7 +66,8 @@ function bind_zone_validate($post, &$input_errors)
if ($_POST['mail'] == '') {
$input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones.";
}
- default:
+ // Intentionally fall through to 'master' zone case
+ case 'master':
if ($_POST['nameserver'] == '') {
$input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones.";
}
@@ -106,6 +97,18 @@ function bind_zone_validate($post, &$input_errors)
}
}
break;
+ case 'slave':
+ if ($_POST['slaveip'] == "") {
+ $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.';
+ }
+ break;
+ case 'forward':
+ if ($_POST['forwarders'] == "") {
+ $input_errors[] = 'The field \'Forwarders\' is required for forward zones.';
+ }
+ break;
+ default:
+ break;
}
}
@@ -128,7 +131,6 @@ function bind_sync()
if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense")) {
$rndc_conf = file(BIND_LOCALBASE."/etc/rndc-confgen.pfsense");
$confgen = "rndc.conf";
- $rndc_bindconf = "";
foreach ($rndc_conf as $line) {
if ($confgen == "rndc.conf") {
if (!preg_match("/^#/", $line)) {
@@ -154,10 +156,12 @@ function bind_sync()
$hide_version = $bind['bind_hide_version'];
$bind_notify = $bind['bind_notify'];
$custom_options = base64_decode($bind['bind_custom_options']);
+ $bind_global_settings = base64_decode($bind['bind_global_settings']);
$bind_logging = $bind['bind_logging'];
$bind_conf = "#Bind pfsense configuration\n";
$bind_conf .= "#Do not edit this file!!!\n\n";
$bind_conf .= "$rndc_bindconf\n";
+ $bind_conf .= "$bind_global_settings\n";
$bind_conf .= <<<EOD
options {
@@ -208,23 +212,23 @@ EOD;
$bind_listenon = ($bind_listenon == "" ? "none;" : $bind_listenon);
// print "<PRE>$bind_listenonv6 $bind_listenon";
if (array_key_exists("ipv6allow", $config['system'])) {
- $bind_conf .= "\t\tlisten-on-v6 { $bind_listenonv6 };\n";
+ $bind_conf .= "\tlisten-on-v6 { $bind_listenonv6 };\n";
}
$bind_conf .= "\tlisten-on { $bind_listenon };\n";
// forwarder config
if ($bind_forwarder == 'on') {
- $bind_conf .= "\t\tforwarders { $forwarder_ips };\n";
+ $bind_conf .= "\tforwarders { $forwarder_ips };\n";
}
if ($bind_notify == 'on') {
- $bind_conf .= "\t\tnotify yes;\n";
+ $bind_conf .= "\tnotify yes;\n";
}
if ($hide_version == 'on') {
- $bind_conf .= "\t\tversion none;\n";
+ $bind_conf .= "\tversion none;\n";
}
$bind_conf .= preg_replace("/^/m", "\t", $custom_options);
- $bind_conf .= "\n\t};\n\n";
+ $bind_conf .= "\n};\n\n";
if ($bind_logging == 'on') {
//check if bind is included on syslog
@@ -258,13 +262,14 @@ logging {
EOD;
foreach ($log_categories as $category) {
- $bind_conf .= "\t\t\tcategory $category\t{custom;};\n";
+ $bind_conf .= "\tcategory $category { custom; };\n";
}
- $bind_conf .= "\t\t};\n\n";
+ $bind_conf .= "};";
}
} else {
- $bind_conf .= "\t\tlogging { category default { null; }; };\n\n";
+ $bind_conf .= "logging { category default { null; }; };";
}
+ $bind_conf .= "\n\n";
// Config Zone domain
@@ -317,11 +322,14 @@ EOD;
}
$viewcustomoptions = base64_decode($views['bind_custom_options']);
- $bind_conf .= "view \"$viewname\" { \n\n";
+ $bind_conf .= "view \"$viewname\" { \n";
$bind_conf .= "\trecursion $viewrecursion;\n";
$bind_conf .= "\tmatch-clients { $viewmatchclients; };\n";
$bind_conf .= "\tallow-recursion { $viewallowrecursion; };\n";
- $bind_conf .= "\t$viewcustomoptions\n\n";
+ if (!empty($viewcustomoptions)) {
+ $bind_conf .= preg_replace("/^/m", "\t", $viewcustomoptions)."\n";
+ }
+ $bind_conf .= "\n";
if (is_array($config['installedpackages']['bindzone'])) {
$bindzone = $config['installedpackages']['bindzone']['config'];
@@ -342,37 +350,54 @@ EOD;
$custom_root_zone = true;
}
$zonetype = $zone['type'];
- $zoneview = $zone['view'];
+ $zoneviewlist = explode(',', $zone['view']);
$zonecustom = base64_decode($zone['custom']);
$zoneipslave = $zone['slaveip'];
$zoneforwarders = $zone['forwarders'];
+ if (!empty($zoneforwarders)) {
+ $zoneforwarders = rtrim($zoneforwarders, ';');
+ }
$zonereverso = $zone['reverso'];
+ $zonereversv6o = $zone['reversv6o'];
// Ensure zone view folder exists
- if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) {
- mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview", 0755, true);
+ if ($zonetype != "forward") {
+ foreach ($zoneviewlist as $zoneview) {
+ if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) {
+ mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview", 0755, true);
+ }
+ }
}
- if ($zone['allowupdate'] == '') {
+ if (empty($zone['allowupdate'])) {
$zoneallowupdate = "none";
} else {
$zoneallowupdate = str_replace(',', '; ', $zone['allowupdate']);
}
- if ($zone['allowquery'] == '') {
+ $zoneupdatepolicy = $zone['updatepolicy'];
+ if (!empty($zoneupdatepolicy)) {
+ $zoneupdatepolicy = rtrim($zoneupdatepolicy, ';');
+ }
+ if (empty($zone['allowquery'])) {
$zoneallowquery = "none";
} else {
$zoneallowquery = str_replace(',', '; ', $zone['allowquery']);
}
- if ($zone['allowtransfer'] == '') {
+ if (empty($zone['allowtransfer'])) {
$zoneallowtransfer = "none";
} else {
$zoneallowtransfer = str_replace(',', '; ', $zone['allowtransfer']);
}
- if ($zoneview == $viewname) {
+ if (in_array($viewname, $zoneviewlist)) {
+ $zoneview = $viewname;
// Add zone name
if ($zonereverso == "on") {
- $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n";
+ if ($zonereversv6o == "on") {
+ $bind_conf .= "\tzone \"$zonename.ip6.arpa\" {\n";
+ } else {
+ $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n";
+ }
} else {
$bind_conf .= "\tzone \"$zonename\" {\n";
}
@@ -385,8 +410,27 @@ EOD;
// Add zone statements
switch ($zonetype) {
+ case 'master':
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
+ $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
+ if ($zone['enable_updatepolicy'] == "on") {
+ $bind_conf .= "\t\tupdate-policy { $zoneupdatepolicy; };\n";
+ } else {
+ $bind_conf .= "\t\tallow-update { $zoneallowupdate; };\n";
+ }
+ if ($zone['dnssec'] == "on") {
+ //https://kb.isc.org/article/AA-00626/
+ $bind_conf .= "\n\t\t# look for dnssec keys here:\n";
+ $bind_conf .= "\t\tkey-directory \"/etc/namedb/keys\";\n\n";
+ $bind_conf .= "\t\t# publish and activate dnssec keys:\n";
+ $bind_conf .= "\t\tauto-dnssec maintain;\n\n";
+ $bind_conf .= "\t\t# use inline signing:\n";
+ $bind_conf .= "\t\tinline-signing yes;\n\n";
+ }
+ break;
case 'slave':
$bind_conf .= "\t\tmasters { $zoneipslave; };\n";
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
$bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
$bind_conf .= "\t\tnotify no;\n";
break;
@@ -398,20 +442,9 @@ EOD;
$bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n";
$bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n";
$bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n";
+ $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
break;
default:
- $bind_conf .= "\t\tallow-update { $zoneallowupdate; };\n";
- $bind_conf .= "\t\tallow-query { $zoneallowquery; };\n";
- $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer; };\n";
- if ($zone['dnssec'] == "on") {
- //https://kb.isc.org/article/AA-00626/
- $bind_conf .= "\n\t\t# look for dnssec keys here:\n";
- $bind_conf .= "\t\tkey-directory \"/etc/namedb/keys\";\n\n";
- $bind_conf .= "\t\t# publish and activate dnssec keys:\n";
- $bind_conf .= "\t\tauto-dnssec maintain;\n\n";
- $bind_conf .= "\t\t# use inline signing:\n";
- $bind_conf .= "\t\tinline-signing yes;\n\n";
- }
break;
}
@@ -440,10 +473,15 @@ EOD;
$zonenameserver = $zone['nameserver'];
$zoneipns = $zone['ipns'];
$zonereverso = $zone['reverso'];
+ $zonereversv6o = $zone['reversv6o'];
$zone_conf = "\$TTL {$zonetll}\n;\n";
if ($zonereverso == "on") {
- $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n";
+ if ($zonereversv6o == "on") {
+ $zone_conf .= "\$ORIGIN {$zonename}.ip6.arpa.\n\n";
+ } else {
+ $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n";
+ }
} else {
$zone_conf .= "\$ORIGIN {$zonename}.\n\n";
}
@@ -625,6 +663,13 @@ EOD;
$config['installedpackages']['bindzone']['config'][$x]['resultconfig'] = base64_encode($rsconfig);
$write_config++;
break;
+ case 'forward':
+ // forwarder zone does not have a DB file
+ $config['installedpackages']['bindzone']['config'][$x]['resultconfig'] = '';
+ $write_config++;
+ break;
+ default:
+ break;
}
}
}
@@ -704,6 +749,7 @@ function bind_print_javascript_type_zone()
document.iform.tll.disabled = 0;
document.iform.nameserver.disabled = 0;
document.iform.reverso.disabled = 0;
+ document.iform.reversv6o.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
document.iform.backupkeys.disabled = 0;
@@ -715,12 +761,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 0;
document.iform.expire.disabled = 0;
document.iform.minimum.disabled = 0;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 0;
+ document.iform.enable_updatepolicy.disabled = 0;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'slave':
document.iform.slaveip.disabled = 0;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 1;
document.iform.reverso.disabled = 0;
+ document.iform.reversv6o.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
document.iform.backupkeys.disabled = 0;
@@ -732,12 +783,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 1;
document.iform.expire.disabled = 1;
document.iform.minimum.disabled = 1;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'forward':
document.iform.slaveip.disabled = 1;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 1;
document.iform.reverso.disabled = 1;
+ document.iform.reversv6o.disabled = 1;
document.iform.forwarders.disabled = 0;
document.iform.dnssec.disabled = 1;
document.iform.backupkeys.disabled = 1;
@@ -749,12 +805,17 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 1;
document.iform.expire.disabled = 1;
document.iform.minimum.disabled = 1;
+ document.iform.allowquery.disabled = 1;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
case 'redirect':
document.iform.slaveip.disabled = 1;
document.iform.tll.disabled = 1;
document.iform.nameserver.disabled = 0;
document.iform.reverso.disabled = 1;
+ document.iform.reversv6o.disabled = 1;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 1;
document.iform.backupkeys.disabled = 1;
@@ -766,6 +827,10 @@ function bind_print_javascript_type_zone()
document.iform.retry.disabled = 0;
document.iform.expire.disabled = 0;
document.iform.minimum.disabled = 0;
+ document.iform.allowquery.disabled = 0;
+ document.iform.allowupdate.disabled = 1;
+ document.iform.enable_updatepolicy.disabled = 1;
+ document.iform.updatepolicy.disabled = 1;
break;
default:
break;
@@ -783,12 +848,15 @@ function bind_print_javascript_type_zone2()
function bind_write_rcfile()
{
+ global $config;
+ $bind = $config['installedpackages']['bind']['config'][0];
+ $ip_version = ($bind['bind_ip_version'] ? $bind['bind_ip_version'] : "");
$rc = array();
$BIND_LOCALBASE = "/usr/local";
$rc['file'] = 'named.sh';
$rc['start'] = <<<EOD
- if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ if [ -z "`ps auxw | grep "[n]amed {$ip_version} -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
fi
EOD;
$rc['stop'] = <<<EOD
@@ -796,12 +864,12 @@ EOD;
sleep 2
EOD;
$rc['restart'] = <<<EOD
- if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ if [ -z "`ps auxw | grep "[n]amed {$ip_version} -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
else
killall -9 named 2>/dev/null
sleep 3
- {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/
+ {$BIND_LOCALBASE}/sbin/named {$ip_version} -c /etc/namedb/named.conf -u bind -t /cf/named/
fi
EOD;
conf_mount_rw();
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index b64ba256..c24bf351 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -143,6 +143,18 @@
<required/>
</field>
<field>
+ <fielddescr>IP Version</fielddescr>
+ <fieldname>bind_ip_version</fieldname>
+ <description><![CDATA[Select IP transport version.<br>
+ This controls which transports are used when resolving queries.]]></description>
+ <type>select</type>
+ <options>
+ <option><name>IPv4+IPv6</name><value></value></option>
+ <option><name>IPv4</name><value>-4</value></option>
+ <option><name>IPv6</name><value>-6</value></option>
+ </options>
+ </field>
+ <field>
<fielddescr>Listen on</fielddescr>
<fieldname>listenon</fieldname>
<description><![CDATA[Choose the interfaces on which to enable BIND.]]></description>
@@ -298,6 +310,23 @@
<rows>5</rows>
<encoding>base64</encoding>
</field>
+ <field>
+ <type>listtopic</type>
+ <name>Global Settings</name>
+ <fieldname>temp01</fieldname>
+ </field>
+ <field>
+ <fielddescr>Global Settings</fielddescr>
+ <fieldname>bind_global_settings</fieldname>
+ <description>
+ <![CDATA[You can put your own global settings here.<br>
+ They'll be added to the configuration. They need to be named.conf native settings.]]>
+ </description>
+ <type>textarea</type>
+ <cols>65</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
</fields>
<custom_php_after_head_command>
</custom_php_after_head_command>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index a62c1aaf..c289ddd3 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -154,17 +154,26 @@
<field>
<fielddescr>View</fielddescr>
<fieldname>view</fieldname>
- <description><![CDATA[Select the View that this zone will belong.]]></description>
+ <description><![CDATA[Select(CTRL+click) views that this zone will belong.]]></description>
<type>select_source</type>
<source><![CDATA[$config['installedpackages']['bindviews']['config']]]></source>
<source_name>name</source_name>
<source_value>name</source_value>
+ <multiple/>
+ <size>02</size>
</field>
<field>
<fielddescr>Reverse Zone</fielddescr>
<fieldname>reverso</fieldname>
<description>Enable if this is a reverse zone.</description>
<type>checkbox</type>
+ <enablefields>reversv6o</enablefields>
+ </field>
+ <field>
+ <fielddescr>IPv6 Reverse Zone</fielddescr>
+ <fieldname>reversv6o</fieldname>
+ <description>Enable if this is a IPv6 reverse zone. Reverse Zone must also be enabled.</description>
+ <type>checkbox</type>
</field>
<field>
<fielddescr>Custom Option</fielddescr>
@@ -305,6 +314,22 @@
<size>03</size>
</field>
<field>
+ <fielddescr>Enable Update-policy</fielddescr>
+ <fieldname>enable_updatepolicy</fieldname>
+ <description><![CDATA[Enable Update-policy which overrides Allow-update.<br>
+ The update-policy statement replaces the allow-update statement.]]></description>
+ <type>checkbox</type>
+ <enablefields>updatepolicy</enablefields>
+ </field>
+ <field>
+ <fielddescr>Update-policy</fielddescr>
+ <fieldname>updatepolicy</fieldname>
+ <description><![CDATA[Update-policy defines the policy for submitting dynamic updates to 'master' zones.<br>
+ Do not include the surrounding { } when using multiple statements]]></description>
+ <type>input</type>
+ <size>75</size>
+ </field>
+ <field>
<fielddescr>Allow-query</fielddescr>
<fieldname>allowquery</fieldname>
<description><![CDATA[Select(CTRL+click) who are allowed to query this zone.<br>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-06 03:12:07 +0000