dns/dnsmasq: do not use --dnssec-proxy by default

dnsmasq since 2.80 properly forwards all incoming queries with DO bit set. That ensures even if the dnsmasq does not do validation, it will always serve all DNSSEC records if the upstream server provides them. Regardless local validation is enabled or disabled, it will always offer all data required for validation to its clients. But does not set AD bit on local responses unless it did the actual validation itself. In case users trust their connection to validating DNS server, they would have to declare it by adding dnssec-proxy option to dnsmasq conf.d directory. Because there is no negated no-dnssec-proxy, it cannot be turned off. I think there is no good reason to be on for all cases and it would be possible to enable it if still wanted. Move the decision to the user. That makes it conform with RFC 4035, paragraph 3.2.3. Signed-off-by: Petr Menšík <pemensik@redhat.com> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1639
2026-01-09 04:10:18 +01:00 · 2023-05-25 19:53:53 +02:00 · 2023-05-25 19:53:53 +02:00 · 6335e9de6a
commit 6335e9de6a
parent c7ee3a2445
1 changed files with 0 additions and 1 deletions
--- a/src/core/dns/nm-dns-dnsmasq.c
+++ b/src/core/dns/nm-dns-dnsmasq.c
@ -527,7 +527,6 @@ _gl_pid_spawn_next_step(void)
    argv[argv_idx++] = "--cache-size=400";
    argv[argv_idx++] = "--clear-on-reload";     /* clear cache when dns server changes */
    argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
-    argv[argv_idx++] = "--proxy-dnssec";        /* Allow DNSSEC to pass through */
    argv[argv_idx++] = "--enable-dbus=" DNSMASQ_DBUS_SERVICE;

    /* dnsmasq exits if the conf dir is not present */