# that set CD but cannot validate themselves.
# ignore-cd-flag: no
+ # Disable the DO flag in outgoing requests. It is helpful for upstream
+ # devices that cannot handle DNSSEC information. But do not enable it
+ # otherwise, because it would stop DNSSEC validation.
+ # disable-edns-do: no
+
# Serve expired responses from cache, with serve-expired-reply-ttl in
# the response, and then attempt to fetch the data afresh.
# serve-expired: no
the clients, and then Unbound provides them with DNSSEC protection.
The default value is "no".
.TP
+.B disable\-edns\-do: \fI<yes or no>
+Disable the EDNS DO flag in upstream requests. This can be helpful for
+devices that cannot handle DNSSEC information. But it should not be enabled
+otherwise, because that would stop DNSSEC validation. The DNSSEC validation
+would not work for Unbound itself, and also not for downstream users.
+Default is no.
+.TP
.B serve\-expired: \fI<yes or no>
If enabled, Unbound attempts to serve old responses from cache with a
TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the
cfg->val_permissive_mode = 0;
cfg->aggressive_nsec = 1;
cfg->ignore_cd = 0;
+ cfg->disable_edns_do = 0;
cfg->serve_expired = 0;
cfg->serve_expired_ttl = 0;
cfg->serve_expired_ttl_reset = 0;
else S_YNO("val-permissive-mode:", val_permissive_mode)
else S_YNO("aggressive-nsec:", aggressive_nsec)
else S_YNO("ignore-cd-flag:", ignore_cd)
+ else S_YNO("disable-edns-do:", disable_edns_do)
else if(strcmp(opt, "serve-expired:") == 0)
{ IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0);
SERVE_EXPIRED = cfg->serve_expired; }
else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
else O_YNO(opt, "aggressive-nsec", aggressive_nsec)
else O_YNO(opt, "ignore-cd-flag", ignore_cd)
+ else O_YNO(opt, "disable-edns-do", disable_edns_do)
else O_YNO(opt, "serve-expired", serve_expired)
else O_DEC(opt, "serve-expired-ttl", serve_expired_ttl)
else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
int aggressive_nsec;
/** ignore the CD flag in incoming queries and refuse them bogus data */
int ignore_cd;
+ /** disable EDNS DO flag in outgoing requests */
+ int disable_edns_do;
/** serve expired entries and prefetch them */
int serve_expired;
/** serve expired entries until TTL after expiration */
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
aggressive-nsec{COLON} { YDVAR(1, VAR_AGGRESSIVE_NSEC) }
ignore-cd-flag{COLON} { YDVAR(1, VAR_IGNORE_CD_FLAG) }
+disable-edns-do{COLON} { YDVAR(1, VAR_DISABLE_EDNS_DO) }
serve-expired{COLON} { YDVAR(1, VAR_SERVE_EXPIRED) }
serve-expired-ttl{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL) }
serve-expired-ttl-reset{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) }
%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
-%token VAR_HARDEN_UNKNOWN_ADDITIONAL
+%token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
server_interface_automatic_ports | server_ede |
server_proxy_protocol_port | server_statistics_inhibit_zero |
- server_harden_unknown_additional
+ server_harden_unknown_additional | server_disable_edns_do
;
stubstart: VAR_STUB_ZONE
{
free($2);
}
;
+server_disable_edns_do: VAR_DISABLE_EDNS_DO STRING_ARG
+ {
+ OUTYY(("P(server_disable_edns_do:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->disable_edns_do = (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG
{
OUTYY(("P(server_serve_expired:%s)\n", $2));
projects / thirdparty / unbound.git / commitdiff
