From: Otto Moerbeek Date: Wed, 7 Jun 2023 10:27:30 +0000 (+0200) Subject: Add docs X-Git-Tag: rec-4.10.0-alpha0~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1baa6cb681174ed3c9050738ccdb81ef0272dea5;p=thirdparty%2Fpdns.git Add docs --- diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index d9ae370ac3..3ce5681e75 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -533,6 +533,23 @@ Set the mode for DNSSEC processing, as detailed in :doc:`dnssec`. ``validate`` Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses. +.. _setting-dnssec-disabled-algorithms: + +``dnssec-disabled-algorithms`` +------------------------------ +.. versionadded:: 4.9.0 + +- Comma separated list of DNSSEC algorithm numbers +- Default: (none) + +A list of DNSSEC algorithm numbers that should be considered disabled. +These algorithms will not be used to validate DNSSEC signatures. +Zones (only) signed with these algorithms will be considered ``Insecure``. + +If this setting is empty (the default), :program:`Recursor` will determine which algorithms to disable automatically. +This is important on systems that have a default strict crypto policy, like RHEL9 derived systems. +On such systems not disabling some algorithms (or changing the security policy) will make affected zones to be considered ``Bogus`` as using these algorithms fails. + .. _setting-dnssec-log-bogus: ``dnssec-log-bogus`` diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 086f7053f8..7b8c4ee9ff 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -1459,11 +1459,12 @@ static int initDNSSEC(Logr::log_t log) if (!::arg()["dnssec-disabled-algorithms"].empty()) { automatic = false; stringtok(nums, ::arg()["dnssec-disabled-algorithms"], ", "); - for (const auto& num: nums) { + for (const auto& num : nums) { DNSCryptoKeyEngine::switchOffAlgorithm(pdns::checked_stoi(num)); } - } else { - for (auto algo : { DNSSECKeeper::RSASHA1, DNSSECKeeper::RSASHA1NSEC3SHA1 }) { + } + else { + for (auto algo : {DNSSECKeeper::RSASHA1, DNSSECKeeper::RSASHA1NSEC3SHA1}) { if (!DNSCryptoKeyEngine::verifyOne(algo)) { DNSCryptoKeyEngine::switchOffAlgorithm(algo); nums.push_back(std::to_string(algo)); diff --git a/pdns/recursordist/rec_channel_rec.cc b/pdns/recursordist/rec_channel_rec.cc index dbcf7b8435..11aa5ec8ce 100644 --- a/pdns/recursordist/rec_channel_rec.cc +++ b/pdns/recursordist/rec_channel_rec.cc @@ -2312,7 +2312,7 @@ RecursorControlChannel::Answer RecursorControlParser::getAnswer(int s, const str return {0, getRemoteLoggerStats()}; } if (cmd == "list-dnssec-algos") { - return {0, DNSCryptoKeyEngine::listSupportedAlgoNames() }; + return {0, DNSCryptoKeyEngine::listSupportedAlgoNames()}; } return {1, "Unknown command '" + cmd + "', try 'help'\n"};