dns/bind: add Response Policy Zone (RPZ) support

[mbedworth]

Important notices

Before you submit a pull request, we ask you kindly to acknowledge the following:

• I have read the contributing guidelines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I opened an issue first for non-trivial changes and linked it below.
• AI tools were used to create at least part of the code submitted herewith.

If AI was used, please disclose:

• Model used: Claude Sonnet (Anthropic)
• Extent of AI involvement: AI assisted with code generation and structure; all logic reviewed and tested manually on live OPNsense.

---

Describe the problem

The BIND plugin already supports DNSBL-based response-policy zones, but there is no way to configure a standalone RPZ (e.g. a local blocklist maintained by an external update script) without manually editing named.conf. Because named.conf is regenerated by the configd template engine on every service restart and OS update, manual edits do not survive.

The response-policy directive must appear inside the options {} block, which means it cannot be injected via a top-level include file from named.conf.d/.

---

Describe the proposed solution

Adds a native RPZ settings tab to the BIND GUI (between DNSBL and ACLs) and wires it through the standard OPNsense MVC/API stack:

File	Role
models/OPNsense/Bind/Rpz.xml	Model — mounted at //OPNsense/bind/rpz
models/OPNsense/Bind/Rpz.php	BaseModel subclass
Api/RpzController.php	REST controller (/api/bind/rpz/get, /api/bind/rpz/set)
forms/rpz.xml	GUI form
GeneralController.php	Exposes rpzForm to the view
general.volt	RPZ tab + JS wiring
named.conf (template)	Emits response-policy inside options {} and zone declaration

Configuration fields

• Enabled — on/off toggle
• Zone name — zone name; zone file expected at /usr/local/etc/namedb/primary/<zone>.db
• Policy — override policy: nxdomain | nodata | passthru | drop | tcp-only (optional; omit to use zone's own CNAME records)
• Break DNSSEC — allow RPZ rewrites over DNSSEC-signed responses

Coexistence with DNSBL

When both DNSBL and RPZ are enabled, two separate response-policy statements are emitted — one for DNSBL zones and one for the RPZ zone. BIND supports multiple response-policy statements.

Testing

Tested on OPNsense 25.1 with BIND 9.20:

• Enabled RPZ with rpz.local zone and Hagezi Light blocklist (137,674 entries)
• named-checkconf passes cleanly
• Blocked domains return NXDOMAIN with rpz.local in the authority section
• Normal resolution is unaffected
• Configuration survives service restart and configctl bind restart
• DNSBL continues to function when both features are enabled simultaneously

---

Related issue

N/A

[AdSchellevis]

@mbedworth can you please use our PR template?

[mbedworth]

The PR description has been updated to use the standard template (checkboxes, "Describe the problem" / "Describe the proposed solution" sections). Let me know if anything else needs adjusting before review.