You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38 lines
1.6 KiB
38 lines
1.6 KiB
From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
|
|
From: Ronan Pigott <ronan@rjp.ie>
|
|
Date: Fri, 8 Mar 2024 13:40:08 -0700
|
|
Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
|
|
validating
|
|
|
|
This check introduced in 91adc4db33f6 is intended to spare us from
|
|
encountering broken resolver behavior we don't want to deal with.
|
|
However if we aren't validating we more than likely don't know the state
|
|
of the upstream resolver's support for dnssec. Let's let clients try
|
|
these queries if they want.
|
|
|
|
This brings the behavior of sd-resolved in-line with previouly stated
|
|
change in the meaning of DNSSEC=no, which now means "don't validate"
|
|
rather than "don't validate, because the upstream resolver is declared to
|
|
be dnssec-unaware".
|
|
|
|
Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
|
|
(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
|
|
---
|
|
src/resolve/resolved-dns-server.c | 3 ---
|
|
1 file changed, 3 deletions(-)
|
|
|
|
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
|
|
index 340f11f4f4..b37f541c7f 100644
|
|
--- a/src/resolve/resolved-dns-server.c
|
|
+++ b/src/resolve/resolved-dns-server.c
|
|
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
|
|
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
|
|
return true;
|
|
|
|
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
|
|
- return false;
|
|
-
|
|
if (server->packet_bad_opt)
|
|
return false;
|
|
|