A DNSSEC correctness release. Recommended for all validating deployments.
DNSSEC
- Validate insecure delegations served without a referral. When one server is authoritative for both a signed parent and an unsigned child delegated from it (e.g.
tr.+ns.tr.,comcast.net+tx.comcast.net), it answers the child name authoritatively — no referral is crossed. v1.7.1 mis-attributed the answer to the signed parent and SERVFAIL'd the child's legitimately-unsigned records, breaking every signed zone whose nameservers live in an unsigned in-bailiwick subzone (e.g. the whole.trTLD intermittently lost validation). Such data is now accepted as insecure only when cryptographically proven — an authenticated DS, or an exact NSEC3/NSEC delegation proof (NS set, DS/SOA clear; opt-out rejected for the no-referral case). The DS authentication is fail-closed and downgrade-safe: the DS lookup is validated explicitly before any conclusion, and a forged unsigned DS (even with an unsupported algorithm) cannot downgrade a signed child. (#501) - Clear the AD bit for CD=1 clients (RFC 4035 §3.2.3 / RFC 6840 §5.7). A client that sets CD=1 has opted out of trusting the resolver's validation, so AD must never be asserted to it — including an upstream's bit passed through by the forwarder. (#501)
Internal
- Own DNS exchange library (
internal/dnsclient) replacing the vendored miekg client copy — UDP/TCP, DoT, and DoH — with the resolver and forwarder client paths trimmed accordingly. (#500)
Full changelog: v1.7.1...v1.7.2