From 90e61f7284a3ad331e4b990a0c34c6e8b8813a04 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Wed, 24 Feb 2021 12:00:20 +0100 Subject: [PATCH] rec: Change dnssec default to `process` --- pdns/pdns_recursor.cc | 2 +- pdns/recursordist/docs/dnssec.rst | 4 +++- pdns/recursordist/docs/settings.rst | 5 ++++- pdns/recursordist/docs/upgrade.rst | 1 + 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 49529c9244..b9e79acb5b 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -5320,7 +5320,7 @@ int main(int argc, char **argv) ::arg().set("local-address","IP addresses to listen on, separated by spaces or commas. Also accepts ports.")="127.0.0.1"; ::arg().setSwitch("non-local-bind", "Enable binding to non-local addresses by using FREEBIND / BINDANY socket options")="no"; ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off"; - ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate"; + ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate/process (default)/log-fail/validate")="process"; ::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no"; ::arg().set("signature-inception-skew", "Allow the signature inception to be off by this number of seconds")="60"; ::arg().set("daemon","Operate as a daemon")="no"; diff --git a/pdns/recursordist/docs/dnssec.rst b/pdns/recursordist/docs/dnssec.rst index 4c937e37be..69253a021d 100644 --- a/pdns/recursordist/docs/dnssec.rst +++ b/pdns/recursordist/docs/dnssec.rst @@ -14,13 +14,15 @@ The PowerDNS Recursor will not set the DNSSEC OK (DO) bit in the outgoing querie ``process-no-validate`` ^^^^^^^^^^^^^^^^^^^^^^^ -The default mode. +The default mode until PowerDNS Recursor 4.5.0. In this mode the Recursor acts as a "security aware, non-validating" nameserver, meaning it will set the DO-bit on outgoing queries and will provide DNSSEC related RRsets (NSEC, RRSIG) to clients that ask for them (by means of a DO-bit in the query), except for zones provided through the ``auth-zones`` setting. It will not do any validation in this mode, not even when requested by the client. ``process`` ^^^^^^^^^^^ +The default mode since PowerDNS Recursor 4.5.0. + When :ref:`setting-dnssec` is set to ``process`` the behaviour is similar to `process-no-validate`_. However, the recursor will try to validate the data if at least one of the DO or AD bits is set in the query; in that case, it will set the AD-bit in the response when the data is validated successfully, or send SERVFAIL when the validation comes up bogus. diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 94bbfaa3c7..4a76db041b 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -415,8 +415,11 @@ See :doc:`dns64` for more flexible but slower alternatives using Lua. ---------- .. versionadded:: 4.0.0 +.. versionchanged:: 4.5.0 + The default changed from ``process-no-validate`` to ``process`` + - One of ``off``, ``process-no-validate``, ``process``, ``log-fail``, ``validate``, String -- Default: ``process-no-validate`` +- Default: ``process`` Set the mode for DNSSEC processing, as detailed in :doc:`dnssec`. diff --git a/pdns/recursordist/docs/upgrade.rst b/pdns/recursordist/docs/upgrade.rst index 2060d5f1ca..d136de152e 100644 --- a/pdns/recursordist/docs/upgrade.rst +++ b/pdns/recursordist/docs/upgrade.rst @@ -36,6 +36,7 @@ Deprecated and changed settings ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - The :ref:`setting-minimum-ttl-override` and :ref:`setting-ecs-minimum-ttl-override` defaults have ben changed from 0 to 1. - The :ref:`setting-spoof-nearmiss-max` default has been changed from 20 to 1. +- The :ref:`setting-dnssec` default has changed from ``process-no-validate`` to ``process``. Removed settings ^^^^^^^^^^^^^^^^ -- 2.47.3