Fix unbound_dot: allow requests without domain parameter set

[Cyatris]

Description

When creating a DNS over TLS rule in Opnsense, specifying a target attribute is required. One may also define one of the following optional parameters: domain, port or validate (and reload).

Expected Behavior

According to the docs domain is not a required parameter.
An Ansible task without the domain parameter set should therefore execute correctly.

Actual Behavior

The validate_domain function called in unbound_dot.py will throw an AttributeError: 'NoneType' object has no attribute 'find'

Changes

• validate_domain is only called if domain is set.
• Opnsense rule matching without domain set allows usage of verify instead.
• If neither domain nor verify is set, only target parameter is used.

Discussion

Changing match_fields to allow matching only against target if neither domain nor verify is set may lead to ansible operating on the wrong rule, if multiple rules with the same target attribute are set.

An alternative approach could be to always require either verify or domain parameter being set.
However, since both are marked as optional, this will probably not solve the underlying issue.

[ansibleguy]

Makes sense

[ansibleguy]

Thank you for correcting it - we had the same issue with unbound_forward before. It seems we forgot about the dot module at that time :(

I've set the matching to use only target if no domain is supplied - else domain and target will be used.
I don't think there are many setups where the target is used with more than one verify CN's - as the server certificate and thus CN will normally not change if you address the same server & port.
I thought about using target and port - but I don't think there are many setups where one server is used for multiple DNS services. Does not really make sense in my opinion.