From 5757371d43891e830abe19aacae5378a79c7851c Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Mon, 11 Jan 2016 22:50:00 +0000 Subject: [PATCH] Inhibit DNSSEC validation when forwarding to private servers for a domain. server=/example.com/ The rationale is that the chain-of-trust will not be complete to private servers. If it was, it would not be necessary to access the server direct. --- src/forward.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/forward.c b/src/forward.c index 47c6ded..1458578 100644 --- a/src/forward.c +++ b/src/forward.c @@ -406,7 +406,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, } #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID)) + if (option_bool(OPT_DNSSEC_VALID) && !(type & SERV_HAS_DOMAIN)) { size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ); @@ -858,7 +858,8 @@ void reply_query(int fd, int family, time_t now) no_cache_dnssec = 1; #ifdef HAVE_DNSSEC - if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) + if (server && !(server->flags & SERV_HAS_DOMAIN) && + option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) { int status = 0;