-
-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable EDNS DO #944
Disable EDNS DO #944
Conversation
…e is sent from the iterator.
disable-edns-do option is enabled and they set the DO flag. And unit test for that.
…DNSSEC validation that is enabled, and suggests to turn one off.
turned on, but there are trust anchors, and then turns off disable-edns-do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes look good to me.
I am not certain about the name of the option since it is very technical, but then again this option should only be considered if you actually know what you are doing and the consequences to the resolver's clients. So maybe it is fine this way; also I can't come up with a better name.
Co-authored-by: Yorgos Thessalonikefs <george@nlnetlabs.nl>
Co-authored-by: Yorgos Thessalonikefs <george@nlnetlabs.nl>
- Merge #944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no
* nlnet/master: (64 commits) Changelog entry for NLnetLabs#951. - Merge NLnetLabs#951: Cachedb no store. The cachedb-no-store: yes option is used to stop cachedb from writing messages to the backend storage. It reads messages when data is available from the backend. The default is no. - Fix to print detailed errors when an SSL IO routine fails via SSL_get_error. - Changelog entry for: Merge NLnetLabs#955 from buevsan: fix ipset wrong behavior. - Update testdata/ipset.tdir test for ipset fix. - Update the dns64_lookup.rpl test for the DNS64 fallback patch. - Changelog entry for DNS64 patches from Daniel Gröber. Fixes for dns64 fallback to plain AAAA when no A records: - Cleanup if condition. - Rename variable for readability. dns64: Fall back to plain AAAA query with synthall but no A records Fixes for dns64 readability refactoring: - Move declarations to the top for C90 compliance. - Save cycles by not calling (yet) unneeded functions. - Possible use of uninitialised value. - Consistent formatting. dns64: Fix misleading indentation dns64: Refactor handle_event checks for readability fix ipset wrong behavior - Fix NLnetLabs#954: Inconsistent RPZ handling for A record returned along with CNAME. - Update pymod tests for the new Python script variable. - For multi Python module setups, clean previously parsed module functions in __main__'s dictionary, if any, so that only current module functions are registered. - Expose the configured listening and outgoing interfaces, if any, as a list of strings in the Python 'config_file' class instead of the current Swig object proxy; fixes NLnetLabs#79. - Expose the script filename in the Python module environment 'mod_env' instead of the config_file structure which includes the linked list of scripts in a multi Python module setup; fixes NLnetLabs#79. - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the same as transmission end. Addesses NLnetLabs#947 and NLnetLabs#948. Apply suggestions from code review - cachedb-no-store, example conf and man page documentation. Changelog note for NLnetLabs#944. - Merge NLnetLabs#944: Disable EDNS DO. Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no. The option is disable-edns-do: no ...
Disable the EDNS DO flag in upstream requests. This can be helpful for devices that cannot handle DNSSEC information. But it should not be enabled otherwise, because that would stop DNSSEC validation. The DNSSEC validation would not work for Unbound itself, and also not for downstream users. Default is no.
The option is
disable-edns-do: no
.