From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001 From: Ronan Pigott Date: Fri, 8 Mar 2024 13:40:08 -0700 Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't validating This check introduced in 91adc4db33f6 is intended to spare us from encountering broken resolver behavior we don't want to deal with. However if we aren't validating we more than likely don't know the state of the upstream resolver's support for dnssec. Let's let clients try these queries if they want. This brings the behavior of sd-resolved in-line with previouly stated change in the meaning of DNSSEC=no, which now means "don't validate" rather than "don't validate, because the upstream resolver is declared to be dnssec-unaware". Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC") (cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a) --- src/resolve/resolved-dns-server.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 340f11f4f4..b37f541c7f 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ return true; - if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) - return false; - if (server->packet_bad_opt) return false;