From 6335e9de6aee7fb3c283a193d8e1828268a2ff5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 25 May 2023 19:53:53 +0200 Subject: [PATCH] dns/dnsmasq: do not use --dnssec-proxy by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit dnsmasq since 2.80 properly forwards all incoming queries with DO bit set. That ensures even if the dnsmasq does not do validation, it will always serve all DNSSEC records if the upstream server provides them. Regardless local validation is enabled or disabled, it will always offer all data required for validation to its clients. But does not set AD bit on local responses unless it did the actual validation itself. In case users trust their connection to validating DNS server, they would have to declare it by adding dnssec-proxy option to dnsmasq conf.d directory. Because there is no negated no-dnssec-proxy, it cannot be turned off. I think there is no good reason to be on for all cases and it would be possible to enable it if still wanted. Move the decision to the user. That makes it conform with RFC 4035, paragraph 3.2.3. Signed-off-by: Petr Menšík https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1639 --- src/core/dns/nm-dns-dnsmasq.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/core/dns/nm-dns-dnsmasq.c b/src/core/dns/nm-dns-dnsmasq.c index 05aeff492d..53e40f59c5 100644 --- a/src/core/dns/nm-dns-dnsmasq.c +++ b/src/core/dns/nm-dns-dnsmasq.c @@ -527,7 +527,6 @@ _gl_pid_spawn_next_step(void) argv[argv_idx++] = "--cache-size=400"; argv[argv_idx++] = "--clear-on-reload"; /* clear cache when dns server changes */ argv[argv_idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */ - argv[argv_idx++] = "--proxy-dnssec"; /* Allow DNSSEC to pass through */ argv[argv_idx++] = "--enable-dbus=" DNSMASQ_DBUS_SERVICE; /* dnsmasq exits if the conf dir is not present */