Skip to content

Commit 7f6aecc

Browse files
rpigottbluca
rpigott
authored and
bluca
committed
resolved: permit dnssec rrtype questions when we aren't validating
This check introduced in 91adc4d is intended to spare us from encountering broken resolver behavior we don't want to deal with. However if we aren't validating we more than likely don't know the state of the upstream resolver's support for dnssec. Let's let clients try these queries if they want. This brings the behavior of sd-resolved in-line with previouly stated change in the meaning of DNSSEC=no, which now means "don't validate" rather than "don't validate, because the upstream resolver is declared to be dnssec-unaware". Fixes: 9c47b33 ("resolved: enable DNS proxy mode if client wants DNSSEC") (cherry picked from commit 364c948) (cherry picked from commit ba031f1) (cherry picked from commit 5299397) (cherry picked from commit a3a035e) (cherry picked from commit 9806095)
1 parent 9007665 commit 7f6aecc

File tree

1 file changed

+0
-3
lines changed

1 file changed

+0
-3
lines changed

src/resolve/resolved-dns-server.c

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -704,9 +704,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
704704
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
705705
return true;
706706

707-
if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
708-
return false;
709-
710707
if (server->packet_bad_opt)
711708
return false;
712709

0 commit comments

Comments
 (0)