From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 4 Oct 2023 13:28:52 +0000 (+0200)
Subject: - disable-edns-do, unbound-checkconf warns about disable-edns-do and DNSSEC
X-Git-Tag: release-1.19.0rc1~29^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e7714e80cdbf8491cc325ba2901abd7a4700d68;p=thirdparty%2Funbound.git

- disable-edns-do, unbound-checkconf warns about disable-edns-do and DNSSEC
  validation that is enabled, and suggests to turn one off.
---

diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index ff8043711..8b45578fa 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -707,6 +707,23 @@ morechecks(struct config_file* cfg)
 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
 	check_chroot_filelist_wild("trusted-keys-file",
 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
+	if(cfg->disable_edns_do && strstr(cfg->module_conf, "validator")
+		&& (cfg->trust_anchor_file_list
+		|| cfg->trust_anchor_list
+		|| cfg->auto_trust_anchor_file_list
+		|| cfg->trusted_keys_file_list)) {
+		char* key = NULL;
+		if(cfg->auto_trust_anchor_file_list)
+			key = cfg->auto_trust_anchor_file_list->str;
+		if(!key && cfg->trust_anchor_file_list)
+			key = cfg->trust_anchor_file_list->str;
+		if(!key && cfg->trust_anchor_list)
+			key = cfg->trust_anchor_list->str;
+		if(!key && cfg->trusted_keys_file_list)
+			key = cfg->trusted_keys_file_list->str;
+		if(!key) key = "";
+		fatal_exit("disable-edns-do does not allow DNSSEC to work, but the validator module uses a trust anchor %s, turn off disable-edns-do or disable validation", key);
+	}
 #ifdef USE_IPSECMOD
 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
 		/* only check hook if enabled */