From: Evan Hunt <each@isc.org>
Date: Wed, 29 Oct 2025 01:34:55 +0000 (-0700)
Subject: simplify "dnssec-validation" configuration
X-Git-Tag: v9.21.15~24^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fffae65e27e906c452294cd7b96a8fc2db550acd;p=thirdparty%2Fbind9.git

simplify "dnssec-validation" configuration

In the past, "dnssec-validation" was not looked up in the global
defaults unless "dnssec-enable" was true. "dnssec-enable" has been
obsolete for several years, but dnssec-validation was still being
configured in two steps.  This commit removes the vestigial bits of
the old logic.
---

diff --git a/bin/named/server.c b/bin/named/server.c
index c3dca714b21..1f1fdc88767 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4231,27 +4231,17 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	view->acceptexpired = cfg_obj_asboolean(obj);
 
 	obj = NULL;
-	/* 'optionmaps', not 'maps': don't check named_g_defaultoptions yet */
-	(void)named_config_get(optionmaps, "dnssec-validation", &obj);
-	if (obj == NULL) {
+	result = named_config_get(maps, "dnssec-validation", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isboolean(obj)) {
+		view->enablevalidation = cfg_obj_asboolean(obj);
+	} else {
 		/*
-		 * Default to VALIDATION_DEFAULT as set in config.c.
+		 * If dnssec-validation is set but not boolean,
+		 * then it must be "auto"
 		 */
-		(void)cfg_map_get(named_g_defaultoptions, "dnssec-validation",
-				  &obj);
-		INSIST(obj != NULL);
-	}
-	if (obj != NULL) {
-		if (cfg_obj_isboolean(obj)) {
-			view->enablevalidation = cfg_obj_asboolean(obj);
-		} else {
-			/*
-			 * If dnssec-validation is set but not boolean,
-			 * then it must be "auto"
-			 */
-			view->enablevalidation = true;
-			auto_root = true;
-		}
+		view->enablevalidation = true;
+		auto_root = true;
 	}
 
 	obj = NULL;