]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 707890d)
resolved: permit dnssec rrtype questions when we aren't validating
authorRonan Pigott <ronan@rjp.ie>
Fri, 8 Mar 2024 20:40:08 +0000 (13:40 -0700)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Wed, 12 Jun 2024 09:50:45 +0000 (18:50 +0900)
This check introduced in 91adc4db33f6 is intended to spare us from
encountering broken resolver behavior we don't want to deal with.
However if we aren't validating we more than likely don't know the state
of the upstream resolver's support for dnssec. Let's let clients try
these queries if they want.

This brings the behavior of sd-resolved in-line with previouly stated
change in the meaning of DNSSEC=no, which now means "don't validate"
rather than "don't validate, because the upstream resolver is declared to
be dnssec-unaware".

Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
src/resolve/resolved-dns-server.c patch | blob | blame | history

diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f4f494c4566860b1b8a83b531b04650686..b37f541c7f9957ab2ef25ed7b436ade7c2dd945e 100644 (file)
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
         if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
                 return true;
 
-        if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
-                return false;
-
         if (server->packet_bad_opt)
                 return false;
 
Unnamed repository; edit this file 'description' to name the repository.