From 8e57555345db9ccf347d3286da14229347f4bf60 Mon Sep 17 00:00:00 2001
From: doktornotor <1075960+doktornotor@users.noreply.github.com>
Date: Mon, 6 Nov 2023 09:21:58 +0100
Subject: [PATCH] [os-bind] #3650 - break-dnssec toggle needed for Enable
 filter-aaaa on IPv4/IPv6 clients (#3651)

If DNSSEC validation is disabled, filter-aaaa-on-v4 or filter-aaaa-on-v6 is set to break-dnssec
instead of yes, then AAAA records will be omitted even if they are signed.

See https://github.com/opnsense/plugins/issues/3650
---
 .../mvc/app/controllers/OPNsense/Bind/forms/general.xml   | 4 ++--
 .../opnsense/service/templates/OPNsense/Bind/named.conf   | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 1a1d8c92a..52929b3ef 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -73,13 +73,13 @@
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients</help>
+        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients</help>
+        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 6f95e9812..b92aaf6d5 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -222,10 +222,18 @@ logging {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' or helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
 plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {% if helpers.exists('OPNsense.bind.general.filteraaaav4') and OPNsense.bind.general.filteraaaav4 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v4 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v4 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaav6') and OPNsense.bind.general.filteraaaav6 == '1' %}
+{%   if OPNsense.bind.general.dnssecvalidation == 'no' %}
+                   filter-aaaa-on-v6 break-dnssec;
+{%   else %}
                    filter-aaaa-on-v6 yes;
+{%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
         filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };