unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/rootfiles/core/107/filelists/files

@@ -1,5 +1,6 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/traffic.cgi
 var/ipfire/langs

src/initscripts/init.d/unbound

@@ -168,16 +168,34 @@ write_forward_conf() {
 	(
 		config_header
 
+		local insecure_zones
+
 		local enabled zone server remark
 		while IFS="," read -r enabled zone server remark; do
 			# Line must be enabled.
 			[ "${enabled}" = "on" ] || continue
 
+			# Zones that end with .local are commonly used for internal
+			# zones and therefore not signed
+			case "${zone}" in
+				*.local)
+					insecure_zones="${insecure_zones} ${zone}"
+					;;
+			esac
+
 			echo "forward-zone:"
 			echo "	name: ${zone}"
 			echo "	forward-addr: ${server}"
 			echo
 		done < /var/ipfire/dnsforward/config
+
+		if [ -n "${insecure_zones}" ]; then
+			echo "server:"
+
+			for zone in ${insecure_zones}; do
+				echo "	domain-insecure: ${zone}"
+			done
+		fi
 	) > /etc/unbound/forward.conf
 }