From patchwork Wed Mar 6 03:59:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 2134 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 6DE5888B509 for ; Tue, 5 Mar 2019 16:59:25 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44DNR03Yqgz57J6H; Tue, 5 Mar 2019 16:59:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551805164; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=/rww3qsUAFyDsLa1QWWY+JFABKAucfNVafcHCPvvm1c=; b=1BQLtXRXxdutxht9pmUhWuO6pCLzdqv633OGYUrQ3Ym7MsSLK1gsVtTveClFEx2lX6SJXy 3Qsl30/+Dgn+GwJJxXkaq6CCzZrSY25N6Vgf5mef3+60q0ibFgbd4Wg1ahQWwSVqJbdohl dn9pPkq45/BY02RDqouXh+Dz681NeL5Rdd+Z4iPQMe2R4RV8ifkE1ujlROATe83Ug5bQMy 5as37FRL0qcGE0+kqLNw6614rf4R5VSq75+G97dJ93quDzXcB4ryyJT19PQxjc+YUxxxIj Hu0eoSXdfwuPyYpfx67zLSgVfc0cMIYImEYKHKaVUVtXm5ViTftdLuYlu83TwQ== Received: from ipfire.tremer.co.uk (unknown [88.215.19.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44DNQx4S4lz57J63; Tue, 5 Mar 2019 16:59:21 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1551805162; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=/rww3qsUAFyDsLa1QWWY+JFABKAucfNVafcHCPvvm1c=; b=cmuYKSLQoHIT4IexQzvZi/ysEXPB2W3IcNQtJLQ8v+PkD/lbqjoYwYzT8ybRHo4x0s49PC 9CvgPcNoK8LK7CJ4sxOGsh2L6ZaLzbajxyOjiFHX/5/X9Bbntm1csqbYMJ2E/z8UE7zmDm MgzGxzY87q3VaalxX1XNQiJfMjamUICuisjZYqtVKmfHhtsilT3RKgRLdQ59tntVrqQZa3 3FI+p7qSNP7poAxPLXz2/G7wSrmru8RnMsuImG/qnA+ta0xAU7A6l0MqZNbVR0x5Aic0nh 4ORypOd+m5MJdCAEVQXiglRoASLjzf3FBt0W9Dkz/PA4V8Etj+i+xrHr+/Ljxg== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/2] DNS Forwarding: Add UI to Allow to disable DNSSEC for a zone Date: Tue, 5 Mar 2019 16:59:08 +0000 Message-Id: <20190305165909.25087-1-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.12.2 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org X-Spamd-Result: default: False [-4.45 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-2.35)[-0.785,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31655, ipnet:88.215.0.0/18, country:GB]; RCVD_TLS_ALL(0.00)[]; BAYES_HAM(-3.00)[100.00%] X-Spam-Status: No, score=-4.45 X-Rspamd-Server: mail01.i.ipfire.org Cc: Michael Tremer X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- doc/language_issues.en | 2 ++ doc/language_issues.es | 2 ++ doc/language_issues.fr | 2 ++ doc/language_issues.it | 2 ++ doc/language_issues.nl | 2 ++ doc/language_issues.pl | 2 ++ doc/language_issues.ru | 2 ++ doc/language_issues.tr | 2 ++ doc/language_missings | 14 ++++++++++++++ html/cgi-bin/dnsforward.cgi | 40 ++++++++++++++++++++++++++++++++++++---- langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ 12 files changed, 70 insertions(+), 4 deletions(-) diff --git a/doc/language_issues.en b/doc/language_issues.en index 4af86025f..5a3012207 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -606,6 +606,8 @@ WARNING: untranslated string: dns desc = If the red0 interface gets the IP addre WARNING: untranslated string: dns error 0 = The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid. WARNING: untranslated string: dns error 01 = The entered IP address of the primary and secondary DNS server are not valid, please check your entries! WARNING: untranslated string: dns error 1 = The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid. +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns header = Assign DNS server addresses only for DHCP on red0 WARNING: untranslated string: dns list = List of free public DNS servers WARNING: untranslated string: dns menu = Assign DNS-Server diff --git a/doc/language_issues.es b/doc/language_issues.es index d1a593566..d8b49f918 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -778,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.fr b/doc/language_issues.fr index ded039f5a..37b43569c 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -772,6 +772,8 @@ WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Scan for Songs = unknown string WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: fwhost cust geoipgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 7c465aae6..c2b0b2327 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -798,6 +798,8 @@ WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec disabled warning = WARNING: DNSSEC has been disabled WARNING: untranslated string: eight hours = 8 Hours diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 2ed6e3d85..46d923fe5 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -801,6 +801,8 @@ WARNING: untranslated string: dhcp dns update = DNS Update WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: dnssec aware = DNSSEC Aware diff --git a/doc/language_issues.pl b/doc/language_issues.pl index d1a593566..d8b49f918 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -778,6 +778,8 @@ WARNING: untranslated string: dhcp dns update algo = Algorithm: WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 2f0b4d9e8..1286bcd87 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -782,6 +782,8 @@ WARNING: untranslated string: dhcp dns update secret = Secret: WARNING: untranslated string: disk access per = Disk Access per WARNING: untranslated string: dl client arch insecure = Download insecure Client Package (zip) WARNING: untranslated string: dnat address = Firewall Interface +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dns servers = DNS Servers WARNING: untranslated string: dnsforward = DNS Forwarding WARNING: untranslated string: dnsforward add a new entry = Add a new entry diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c6fb9f255..0e95d6045 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -775,6 +775,8 @@ WARNING: untranslated string: bytes = unknown string WARNING: untranslated string: crypto error = Cryptographic error WARNING: untranslated string: crypto warning = Cryptographic warning WARNING: untranslated string: default IP address = Default IP Address +WARNING: untranslated string: dns forward disable dnssec = Disable DNSSEC (dangerous) +WARNING: untranslated string: dns forwarding dnssec disabled notice = (DNSSEC disabled) WARNING: untranslated string: dnsforward forward_servers = Nameservers WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwhost cust geoipgrp = unknown string diff --git a/doc/language_missings b/doc/language_missings index 4d0499960..12ef6e673 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -210,9 +210,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -803,6 +805,8 @@ ############################################################################ < cryptographic settings < default IP address +< dns forward disable dnssec +< dns forwarding dnssec disabled notice < interface mode < invalid input for interface address < invalid input for interface mode @@ -898,7 +902,9 @@ < dhcp dns update algo < dhcp dns update secret < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec disabled warning < eight hours < email config @@ -1141,7 +1147,9 @@ < dh name is invalid < dh parameter < dl client arch insecure +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnssec aware < dnssec disabled warning < dnssec information @@ -1501,9 +1509,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -2235,9 +2245,11 @@ < dnsforward < dnsforward add a new entry < dnsforward configuration +< dns forward disable dnssec < dnsforward edit an entry < dnsforward entries < dnsforward forward_servers +< dns forwarding dnssec disabled notice < dnsforward zone < dnssec aware < dnssec disabled warning @@ -2820,7 +2832,9 @@ < cryptographic settings < crypto warning < default IP address +< dns forward disable dnssec < dnsforward forward_servers +< dns forwarding dnssec disabled notice < fwdfw all subnets < interface mode < invalid input for interface address diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 0439817b9..d9807c90e 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -52,6 +52,7 @@ $cgiparams{'ACTION'} = ''; $cgiparams{'ZONE'} = ''; $cgiparams{'FORWARD_SERVERS'} = ''; $cgiparams{'REMARK'} =''; +$cgiparams{'DISABLE_DNSSEC'} = 'off'; &Header::getcgihash(\%cgiparams); open(FILE, $filename) or die 'Unable to open config file.'; my @current = ; @@ -76,6 +77,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) } } + if ($cgiparams{'DISABLE_DNSSEC'} !~ /^(on|off)?$/) { + $errormessage = $Lang::tr{'invalid input'}; + } + # Go further if there was no error. if ( ! $errormessage) { @@ -85,11 +90,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) # Check if a remark has been entered. $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + # Set to off if not enabled + if (!$cgiparams{'DISABLE_DNSSEC'}) { + $cgiparams{'DISABLE_DNSSEC'} = "off"; + } + # Check if we want to edit an existing or add a new entry. if($cgiparams{'EDITING'} eq 'no') { open(FILE,">>$filename") or die 'Unable to open config file.'; flock FILE, 2; - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { open(FILE, ">$filename") or die 'Unable to open config file.'; flock FILE, 2; @@ -98,7 +108,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) { $id++; if ($cgiparams{'EDITING'} eq $id) { - print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'}\n"; + print FILE "$cgiparams{'ENABLED'},$cgiparams{'ZONE'},$cgiparams{'FORWARD_SERVERS'},$cgiparams{'REMARK'},$cgiparams{'DISABLE_DNSSEC'}\n"; } else { print FILE "$line"; } } } @@ -151,7 +161,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { chomp($line); my @temp = split(/\,/,$line); - print FILE "$cgiparams{'ENABLE'},$temp[1],$temp[2],$temp[3]\n"; + + $temp[0] = $cgiparams{'ENABLE'}; + + print FILE join(",", @temp) . "\n"; } } close(FILE); @@ -176,6 +189,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) $cgiparams{'ZONE'} = $temp[1]; $cgiparams{'FORWARD_SERVERS'} = join(",", split(/\|/, $temp[2])); $cgiparams{'REMARK'} = $temp[3]; + $cgiparams{'DISABLE_DNSSEC'} = $temp[4]; } } } @@ -184,6 +198,10 @@ $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; +$checked{'DISABLE_DNSSEC'}{'off'} = ''; +$checked{'DISABLE_DNSSEC'}{'on'} = ''; +$checked{'DISABLE_DNSSEC'}{$cgiparams{'DISABLE_DNSSEC'}} = "checked='checked'"; + &Header::openpage($Lang::tr{'dnsforward configuration'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -230,6 +248,10 @@ print <$Lang::tr{'remark'}: + + $Lang::tr{'dns forward disable dnssec'}: + +
@@ -291,13 +313,19 @@ foreach my $line (@current) my $gif = ''; my $gdesc = ''; my $toggle = ''; + my $notice = ""; # Format lists of servers my $servers = join(", ", split(/\|/, $temp[2])); + my $disable_dnssec = $temp[4]; + if($cgiparams{'ACTION'} eq $Lang::tr{'edit'} && $cgiparams{'ID'} eq $id) { print ""; $col="bgcolor='${Header::colouryellow}'"; } + elsif ($disable_dnssec eq 'on') { + print ""; + $col="bgcolor='${Header::colourred}' style='color: white'"; } elsif ($id % 2) { print ""; $col="bgcolor='$color{'color22'}'"; } @@ -308,11 +336,15 @@ foreach my $line (@current) if ($temp[0] eq 'on') { $gif='on.gif'; $toggle='off'; $gdesc=$Lang::tr{'click to disable'};} else { $gif='off.gif'; $toggle='on'; $gdesc=$Lang::tr{'click to enable'}; } + if ($disable_dnssec eq "on") { + $notice = $Lang::tr{'dns forwarding dnssec disabled notice'}; + } + ### # Display edit page. # print <$temp[1] + $temp[1] $notice $servers $temp[3] diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cf33567a1..ce7090c39 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -805,6 +805,8 @@ 'dns error 0' => 'Die IP Adresse vom primären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene sekundären DNS Server Adresse ist jedoch gültig.
', 'dns error 01' => 'Die eingegebene IP Adresse des primären wie auch des sekundären DNS-Servers sind nicht gültig, bitte überprüfen Sie Ihre Eingaben!', 'dns error 1' => 'Die IP Adresse vom sekundären DNS Server ist nicht gültig, bitte überprüfen Sie Ihre Eingabe!
Die eingegebene primäre DNS Server Adresse ist jedoch gültig.', +'dns forward disable dnssec' => 'DNSSEC deaktivieren (nicht empfohlen)', +'dns forwarding dnssec disabled notice' => '(DNSSEC deaktiviert)', 'dns header' => 'DNS Server Adressen zuweisen nur mit DHCP an red0', 'dns list' => 'Liste von freien öffentlichen DNS Servern', 'dns menu' => 'DNS-Server zuweisen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 4f4b4d9c1..7697dc202 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -832,6 +832,8 @@ 'dns error 0' => 'The IP address of the primary DNS server is not valid, please check your entries!
The entered secondary DNS server address is valid.', 'dns error 01' => 'The entered IP address of the primary and secondary DNS server are not valid, please check your entries!', 'dns error 1' => 'The IP address of the secondary DNS server is not valid, please check your entries!
The entered primary DNS server address is valid.', +'dns forward disable dnssec' => 'Disable DNSSEC (dangerous)', +'dns forwarding dnssec disabled notice' => '(DNSSEC disabled)', 'dns header' => 'Assign DNS server addresses only for DHCP on red0', 'dns list' => 'List of free public DNS servers', 'dns menu' => 'Assign DNS-Server',