``validate``
Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.
+.. _setting-dnssec-disabled-algorithms:
+
+``dnssec-disabled-algorithms``
+------------------------------
+.. versionadded:: 4.9.0
+
+- Comma separated list of DNSSEC algorithm numbers
+- Default: (none)
+
+A list of DNSSEC algorithm numbers that should be considered disabled.
+These algorithms will not be used to validate DNSSEC signatures.
+Zones (only) signed with these algorithms will be considered ``Insecure``.
+
+If this setting is empty (the default), :program:`Recursor` will determine which algorithms to disable automatically.
+This is important on systems that have a default strict crypto policy, like RHEL9 derived systems.
+On such systems not disabling some algorithms (or changing the security policy) will make affected zones to be considered ``Bogus`` as using these algorithms fails.
+
.. _setting-dnssec-log-bogus:
``dnssec-log-bogus``
if (!::arg()["dnssec-disabled-algorithms"].empty()) {
automatic = false;
stringtok(nums, ::arg()["dnssec-disabled-algorithms"], ", ");
- for (const auto& num: nums) {
+ for (const auto& num : nums) {
DNSCryptoKeyEngine::switchOffAlgorithm(pdns::checked_stoi<unsigned int>(num));
}
- } else {
- for (auto algo : { DNSSECKeeper::RSASHA1, DNSSECKeeper::RSASHA1NSEC3SHA1 }) {
+ }
+ else {
+ for (auto algo : {DNSSECKeeper::RSASHA1, DNSSECKeeper::RSASHA1NSEC3SHA1}) {
if (!DNSCryptoKeyEngine::verifyOne(algo)) {
DNSCryptoKeyEngine::switchOffAlgorithm(algo);
nums.push_back(std::to_string(algo));
return {0, getRemoteLoggerStats()};
}
if (cmd == "list-dnssec-algos") {
- return {0, DNSCryptoKeyEngine::listSupportedAlgoNames() };
+ return {0, DNSCryptoKeyEngine::listSupportedAlgoNames()};
}
return {1, "Unknown command '" + cmd + "', try 'help'\n"};
projects / thirdparty / pdns.git / commitdiff
