Overzealous zone/domain name compliance checks in Unbound > Query Forwarding

Question

Overzealous zone/domain name compliance checks in Unbound > Query Forwarding

pmhausen opened this issue 7 months ago · 7 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

The UI does not allow the configuration of a query forwarding if the zone name starts with an underscore. Unfortunately this is frequently the case with special Microsoft AD integrated zones - wich are in turn prime candidates for query forwarding.

To Reproduce

Navigate to Service > Unbound > Query Forwarding, try to add an entry like in my screen shot.

Expected behavior

The entry should be permitted.

Describe alternatives you considered

There is no alternative ;)

Screenshots

Relevant log files

none

Additional context

The validity of these zone names is frequently the topic of debate. My reading of the relevant RFCs is that underscore in hostnames is not allowed, but perfectly well so in zone names or e.g. SRV records. Also Microsoft does (surprise!) have a history of adhering to standards quite tightly in the infrastructure (DNS, LDAP, Kerberos, ...) areas.

Environment

OPNsense 24.1.7_4

Answer 1 · 2024-05-28T18:50:11.000Z

@AdSchellevis
That was quick! Thanks! Will that make it into the 24.1 branch? I am not quite familiar with your release management, yet.

Answer 2 · 2024-05-28T19:06:06.000Z

@pmhausen it's a (very) small change, let's ask @fichtner to pull it in when he has time :)

Answer 3 · 2024-05-28T19:13:38.000Z

Ok how about tomorrow? ;)

Answer 4 · 2024-05-28T19:24:37.000Z

While you are at it - I guess Unbound > Overrides > Domain Overrides deserves the same treatment and possibly Host Overrrides, too.

Answer 5 · 2024-05-28T19:54:11.000Z

@pmhausen since host and domain are split there and validations underneath differ a bit, better open another ticket for that when needed. rfc2181 removes almost all constraints from the field, which might have other downsides in these cases.

Answer 6 · 2024-05-28T20:11:44.000Z

Domain Overrides IMHO has exactly the same constraints as Query Forwarding. I was a little bit puzzled by the former still existing. Wasn't the intention to remove that (legacy) part of the menu in favour of Query Forwarding?

Anyway - Host Overrides should follow the standard for host names. Domain Overrides is just another name for essentially Query Forwarding.

Kind regards,
Patrick

Answer 7 · 2024-05-29T06:31:04.000Z

Domain Overrides IMHO has exactly the same constraints as Query Forwarding. I was a little bit puzzled by the former still existing. Wasn't the intention to remove that (legacy) part of the menu in favour of Query Forwarding?

yes, so better to leave it alone for now (#7243)