Custom options: This option will be removed in the future due to being insecure

[ip6li]

Hello,

the announcement "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting." caused some trouble.
At least this will cause problems if OPNSense is used wird DNSSEC and für internal Windows AD. This field is used to set up an exempt from DNSSEC for internal Windows AD domain.
If this field is dropped, OPNSense will no longer resolve AD DNS.

At least there should be a possibility by CLI to include custom configs for Unbound. I think Unbound config options are too complex to map them all into a Web GUI.

Christian

[chemlud]

Very strange policy, as this is the way to have DNS-over-TLS with opnsense, while pfsense has this in the GUI.

Will the option to enable DNS-over-TLS be added to the GUI in opnsense?

[franco]

Yes, overrides via console access will be possible.

Yes, some settings will be made possible directly via GUI.

This is fallout from the security issue reported by Bill Marquette for which a fix was shipped with 19.1.8.

As a general policy we consider custom configuration freeform text dangerous and you won't find it in newer code (with one exception in the Zerotier plugin I believe).

Unbound, Dnsmasq, NTP and OpenVPN are the current offenders in the inherited code base.

We also believe that providing freeform text stifles innovation and proper feature integration and benefits only a subset of the community.

But don't despair: we're happy with the admin-only edit policy and the features will be kept for a few major releases. NTP was the only one we considered changing in the shorter term.


Cheers,
Franco

[chemlud]

...puuuuhhh... Big relief. :-)