Bug 13979

Summary: Rethink Safe Search
Product: IPFire Reporter: Michael Tremer <michael.tremer>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: MODIFIED --- QA Contact: Stefan Schantl <stefan.schantl>
Severity: - Unknown -    
Priority: - Unknown -    
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 13972    

Description Michael Tremer 2026-05-18 17:26:54 UTC 
Safesearch is currently implemented in Knot Resolver in a way where it does not work because Knot Resolver isn't able to recursively lookup any CNAMEs when using the policy.ANSWER() function.

We will probably have to build our own module or potentially some custom configuration so that we can redirect those queries.
Comment 1 Michael Tremer 2026-05-21 18:43:44 UTC 
This has now been implemented by creating a new, static zone file that is being loaded into the resolver:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/knot-resolver/config.lua;h=d594c88eb569b8668809230c6ab1307183c9514b;hb=refs/heads/next#l251

At a first glance this worked well for me, but it still has to be validated.