Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Custom options: This option will be removed in the future due to being insecure
« previous
next »
Print
Pages: [
1
]
Author
Topic: Custom options: This option will be removed in the future due to being insecure (Read 3016 times)
ip6li
Newbie
Posts: 6
Karma: 0
Custom options: This option will be removed in the future due to being insecure
«
on:
June 27, 2019, 10:39:43 am »
Hello,
the announcement "This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting." caused some trouble.
At least this will cause problems if OPNSense is used wird DNSSEC and für internal Windows AD. This field is used to set up an exempt from DNSSEC for internal Windows AD domain.
If this field is dropped, OPNSense will no longer resolve AD DNS.
At least there should be a possibility by CLI to include custom configs for Unbound. I think Unbound config options are too complex to map them all into a Web GUI.
Christian
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Custom options: This option will be removed in the future due to being insecure
«
Reply #1 on:
June 27, 2019, 10:59:35 am »
Very strange policy, as this is the way to have DNS-over-TLS with opnsense, while pfsense has this in the GUI.
Will the option to enable DNS-over-TLS be added to the GUI in opnsense?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Custom options: This option will be removed in the future due to being insecure
«
Reply #2 on:
June 27, 2019, 11:34:11 am »
Yes, overrides via console access will be possible.
Yes, some settings will be made possible directly via GUI.
This is fallout from the security issue reported by Bill Marquette for which a fix was shipped with 19.1.8.
As a general policy we consider custom configuration freeform text dangerous and you won't find it in newer code (with one exception in the Zerotier plugin I believe).
Unbound, Dnsmasq, NTP and OpenVPN are the current offenders in the inherited code base.
We also believe that providing freeform text stifles innovation and proper feature integration and benefits only a subset of the community.
But don't despair: we're happy with the admin-only edit policy and the features will be kept for a few major releases. NTP was the only one we considered changing in the shorter term.
Cheers,
Franco
«
Last Edit: June 27, 2019, 11:36:14 am by franco
»
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Custom options: This option will be removed in the future due to being insecure
«
Reply #3 on:
June 27, 2019, 11:43:26 am »
...puuuuhhh... Big relief. :-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Custom options: This option will be removed in the future due to being insecure