dns/bind: add HTTPS record type support#5425
Open
mbedworth wants to merge 2 commits into
Open
Conversation
Fix critical syntax error in opnsense-fw active response script that prevents IPs from being added to the __wazuh_agent_drop alias.
## Problem
The script contains invalid Python syntax - a variable assignment inside a dictionary literal:
```python
"parameters":{
unique_key = "%s-%s" % (...) # Invalid Python syntax
"keys": [unique_key]
}
```
This causes the script to fail with a SyntaxError on all 'add' commands, meaning attacking IPs are never blocked.
## Changes
- Move unique_key assignment outside dictionary literal (fixes SyntaxError)
- Fix typo: 'even' -> 'event' in error message
- Add debug logging for easier troubleshooting
## Testing
- Verified syntax with `python3 -m py_compile`
- Tested active response add/delete operations on OPNsense 26.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
If AI was used, please disclose:
Describe the problem
The BIND record model (
Record.xml) does not includeHTTPSas a valid record type, making it impossible to add HTTPS/SVCB resource records (RFC 9460) through the plugin GUI or API. BIND 9.18+ supports HTTPS records natively in zone files, but the OPNsense validation layer rejects the type before it reaches named.Describe the proposed solution
Add
HTTPSto theOptionValueslist inmodels/OPNsense/Bind/Record.xml. This is a one-line change that follows the same pattern as the existing record types (SRV, TLSA, etc.).HTTPS records (RFC 9460) are used for service binding and parameter discovery. A common use case is advertising DoH endpoints with their path and ALPN parameters so RFC 9460-aware clients can discover them automatically, for example:
The zone file template already emits records generically as
name type value, so no template changes are required — only the model validation needs updating.Testing
Tested on OPNsense 26.1 with BIND 9.20:
addRecordwith"type": "HTTPS"returns{"result":"saved"}and the record is written to config.xmlname HTTPS valuein the zone filedig TYPE65returnsNOERRORwith the correct SvcParams after a zone reload