Remove the concept of "DNSSEC incapable servers".

We're going to replace this with configured or extrapolated DS records.
2025-12-19 18:28:25 +00:00 · 2025-02-02 16:21:21 +00:00
parent 9af15871e6
commit 3e659bd4ec
3 changed files with 9 additions and 47 deletions
--- a/src/domain-match.c
+++ b/src/domain-match.c
@@ -94,8 +94,7 @@ void build_server_array(void)
   server=/.example.com/ works.

   A flag of F_SERVER returns an upstream server only.
-   A flag of F_DNSSECOK returns a DNSSEC capable server only and
-   also disables NODOTS servers from consideration.
+   A flag of F_DNSSECOK disables NODOTS servers from consideration.
   A flag of F_DOMAINSRV returns a domain-specific server only.
   A flag of F_CONFIG returns anything that generates a local
   reply of IPv4 or IPV6.
@@ -338,12 +337,8 @@ int filter_servers(int seed, int flags, int *lowout, int *highout)
 		      
 		      if (i != nlow)
 			{
-			  /* If we want a server that can do DNSSEC, and this one can't, 
-			     return nothing, similarly if were looking only for a server
-			     for a particular domain. */
-			  if ((flags & F_DNSSECOK) && !(daemon->serverarray[nlow]->flags & SERV_DO_DNSSEC))
-			    nlow = nhigh;
-			  else if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
+			  /* If we want a server for a particular domain, and this one isn't, return nothing. */
+			  if ((flags & F_DOMAINSRV) && daemon->serverarray[nlow]->domain_len == 0)
 			    nlow = nhigh;
 			  else
 			    nhigh = i;
--- a/src/forward.c
+++ b/src/forward.c
@@ -375,7 +375,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
      forward->flags = fwd_flags;

 #ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
+      if (option_bool(OPT_DNSSEC_VALID))
 	{
 	  plen = add_do_bit(header, plen, ((unsigned char *) header) + daemon->edns_pktsz);
 	  
@@ -954,8 +954,7 @@ static void dnssec_validate(struct frec *forward, struct dns_header *header,
 	    status = dnssec_validate_ds(now, header, plen, daemon->namebuff, daemon->keyname, forward->class, &orig->validate_counter);
 	  else
 	    status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, 
-					   !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
-					   NULL, NULL, NULL, &orig->validate_counter);
+					   !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, &orig->validate_counter);
 	  
 	  if (STAT_ISEQUAL(status, STAT_ABANDONED))
 	    log_resource = 1;
@@ -1278,7 +1277,7 @@ void reply_query(int fd, time_t now)
 #ifdef HAVE_DNSSEC
  if (option_bool(OPT_DNSSEC_VALID))
    {
-      if ((forward->sentto->flags & SERV_DO_DNSSEC) && !(forward->flags & FREC_CHECKING_DISABLED))
+      if (!(forward->flags & FREC_CHECKING_DISABLED))
 	{
 	  dnssec_validate(forward, header, n, STAT_OK, now);
 	  return;
@@ -2271,8 +2270,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
 	new_status = dnssec_validate_ds(now, header, n, name, keyname, class, validatecount);
      else
 	new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
-					   !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
-					   NULL, NULL, NULL, validatecount);
+					   !option_bool(OPT_DNSSEC_IGN_NS), NULL, NULL, NULL, validatecount);
      
      if (!STAT_ISEQUAL(new_status, STAT_NEED_DS) && !STAT_ISEQUAL(new_status, STAT_NEED_KEY) && !STAT_ISEQUAL(new_status, STAT_ABANDONED))
 	break;
@@ -2598,7 +2596,7 @@ unsigned char *tcp_request(int confd, time_t now,
 		    start = master->last_server;
 		  
 #ifdef HAVE_DNSSEC
-		  if (option_bool(OPT_DNSSEC_VALID) && (master->flags & SERV_DO_DNSSEC))
+		  if (option_bool(OPT_DNSSEC_VALID))
 		    {
 		      size = add_do_bit(header, size, ((unsigned char *) header) + 65536);
 		      
@@ -2627,7 +2625,7 @@ unsigned char *tcp_request(int confd, time_t now,
 			  
 			  if (checking_disabled || (header->hb4 & HB4_CD))
 			    no_cache_dnssec = 1;
-			  else if (master->flags & SERV_DO_DNSSEC)
+			  else
 			    {
 			      int keycount = daemon->limit[LIMIT_WORK]; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
 			      int validatecount = daemon->limit[LIMIT_CRYPTO]; 
--- a/src/network.c
+++ b/src/network.c
@@ -1587,33 +1587,6 @@ void check_servers(int no_loop_check)

  for (count = 0, serv = daemon->servers; serv; serv = serv->next)
    {
-#ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID))
-	{ 
-	  if (!(serv->flags & SERV_FOR_NODOTS))
-	    serv->flags |= SERV_DO_DNSSEC;
-	  
-	  /* Disable DNSSEC validation when using server=/domain/.... servers
-	     unless there's a configured trust anchor. */
-	  if (strlen(serv->domain) != 0)
-	    {
-	      struct ds_config *ds;
-	      char *domain = serv->domain;
-	      
-	      /* .example.com is valid */
-	      while (*domain == '.')
-		domain++;
-	      
-	      for (ds = daemon->ds; ds; ds = ds->next)
-		if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
-		  break;
-	      
-	      if (!ds)
-		serv->flags &= ~SERV_DO_DNSSEC;
-	    }
-	}
-#endif
-      
      port = prettyprint_addr(&serv->addr, daemon->namebuff);
      
      /* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
@@ -1659,10 +1632,6 @@ void check_servers(int no_loop_check)
 	{
 	  char *s1, *s2, *s3 = "", *s4 = "";

-#ifdef HAVE_DNSSEC
-	  if (option_bool(OPT_DNSSEC_VALID) && !(serv->flags & SERV_DO_DNSSEC))
-	    s3 = _("(no DNSSEC)");
-#endif
 	  if (serv->flags & SERV_FOR_NODOTS)
 	    s1 = _("unqualified"), s2 = _("names");
 	  else if (strlen(serv->domain) == 0)