resolved: enable DNS proxy mode if client wants DNSSEC

So far we disabled DNSSEC if local clients asked for it via DO flag if DNSSEC=no is set. Let's instead switch to proxy mode in this case, and thus treat client requested DO mode as a way to force proxy mode. This means DNSSEC=no just controls whether resolved will do validation for regular looups, but it has no effect anymore on lookups from clients that indicated they want to do their own DNSSEC anyway. Fixes: #19227 #23737 #25105
2024-09-06 16:56:43 +00:00 · 2024-03-04 18:49:49 +01:00 · 2024-03-04 18:49:49 +01:00 · 9c47b33444
parent 718324c5e0
commit 9c47b33444
1 changed files with 2 additions and 2 deletions
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@ -958,8 +958,8 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea
                log_debug("Got request to DNS proxy address 127.0.0.54, enabling bypass logic.");
                bypass = true;
                protocol_flags = SD_RESOLVED_DNS|SD_RESOLVED_NO_ZONE; /* Turn off mDNS/LLMNR for proxy stub. */
-        } else if ((DNS_PACKET_DO(p) && DNS_PACKET_CD(p))) {
-                log_debug("Got request with DNSSEC checking disabled, enabling bypass logic.");
+        } else if (DNS_PACKET_DO(p)) {
+                log_debug("Got request with DNSSEC enabled, enabling bypass logic.");
                bypass = true;
        }