From 7d23a66ff0caaf50fa50659b8677472b940f01c7 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 26 Jan 2014 09:33:21 +0000
Subject: [PATCH] Remove --dnssec-permissive, pointless if we don't set CD
 upstream.

---
 src/dnssec.c  |  4 ++--
 src/forward.c | 15 +--------------
 src/option.c  |  5 +----
 3 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/src/dnssec.c b/src/dnssec.c
index e62b424..f021d2d 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1382,7 +1382,7 @@ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name
   for (q = ntohs(header->qdcount); q != 0; q--) 
     {
       if (!extract_name(header, plen, &p, name, 1, 4))
-	return digest; /* bad packet */
+	break; /* bad packet */
       
       len = to_wire(name);
       hash->update(ctx, len, (unsigned char *)name);
@@ -1391,7 +1391,7 @@ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name
 
       p += 4;
       if (!CHECK_LEN(header, p, plen, 0))
-	return digest; /* bad packet */
+	break; /* bad packet */
     }
   
   hash->digest(ctx, hash->digest_size, digest);
diff --git a/src/forward.c b/src/forward.c
index 59d03f1..bec5f95 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -608,20 +608,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 #ifdef HAVE_DNSSEC
   if (no_cache && !(header->hb4 & HB4_CD)) 
     {
-      if (option_bool(OPT_DNSSEC_PERMISS))
-	{
-	  unsigned short type;
-	  char types[20];
-	  
-	  if (extract_request(header, (size_t)n, daemon->namebuff, &type))
-	    {
-	      querystr("", types, type);
-	      my_syslog(LOG_WARNING, _("DNSSEC validation failed: query %s%s"), daemon->namebuff, types);
-	    }
-	  else
-	    my_syslog(LOG_WARNING, _("DNSSEC validation failed for unknown query"));
-	}
-      else
+      if (!option_bool(OPT_DNSSEC_DEBUG))
 	{
 	  /* Bogus reply, turn into SERVFAIL */
 	  SET_RCODE(header, SERVFAIL);
diff --git a/src/option.c b/src/option.c
index 22edeca..7d11968 100644
--- a/src/option.c
+++ b/src/option.c
@@ -140,8 +140,7 @@ struct myoption {
 #define LOPT_QUIET_RA     328
 #define LOPT_SEC_VALID    329
 #define LOPT_DNSKEY       330
-#define LOPT_DNSSEC_PERM  331
-#define LOPT_DNSSEC_DEBUG 332
+#define LOPT_DNSSEC_DEBUG 331
 
 #ifdef HAVE_GETOPT_LONG
 static const struct option opts[] =  
@@ -279,7 +278,6 @@ static const struct myoption opts[] =
     { "synth-domain", 1, 0, LOPT_SYNTH },
     { "dnssec", 0, 0, LOPT_SEC_VALID },
     { "dnskey", 1, 0, LOPT_DNSKEY },
-    { "dnssec-permissive", 0, 0, LOPT_DNSSEC_PERM },
     { "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG },
 #ifdef OPTION6_PREFIX_CLASS 
     { "dhcp-prefix-class", 1, 0, LOPT_PREF_CLSS },
@@ -433,7 +431,6 @@ static struct {
   { LOPT_SYNTH, ARG_DUP, "<domain>,<range>,[<prefix>]", gettext_noop("Specify a domain and address range for synthesised names"), NULL },
   { LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL },
   { LOPT_DNSKEY, ARG_DUP, "<domain>,<algo>,<key>", gettext_noop("Specify trust anchor DNSKEY"), NULL },
-  { LOPT_DNSSEC_PERM, OPT_DNSSEC_PERMISS, NULL, gettext_noop("Do NOT return SERVFAIL whne DNSSEC validation fails."), NULL },
   { LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL },
 #ifdef OPTION6_PREFIX_CLASS 
   { LOPT_PREF_CLSS, ARG_DUP, "set:tag,<class>", gettext_noop("Specify DHCPv6 prefix class"), NULL },