Always validate on 'validate' and 'log-fail'

Closes #3709

Also add a comment in the code regarding another DNSSEC ticket

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 86fc88598de0c333b86a0632ce6c560850ec08ce..3cee6bde2053f20ef4472f498d677f13954f3660 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -925,7 +925,9 @@ void startDoResolve(void *p)
     else {
       pw.getHeader()->rcode=res;
 
-      if(haveEDNS) {
+      // FIXME: haveEDNS is not the way to handle initiation of validation, we
+      // should look for the AD bit in the header, see #3682
+      if(haveEDNS || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog) {
        if(g_dnssecmode != DNSSECMode::Off && ((edo.d_Z & EDNSOpts::DNSSECOK) || g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog)) {
           if(sr.doLog()) {
             L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;