Inhibit DNSSEC validation when forwarding to private servers for a domain. server=/example.com/<ip-of-server> The rationale is that the chain-of-trust will not be complete to private servers. If it was, it would not be necessary to access the server direct.

commit: 5757371d43891e830abe19aacae5378a79c7851c [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Mon Jan 11 22:50:00 2016 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Mon Jan 11 22:50:00 2016 +0000
tree: 42e13ce1ae78213d29c97441bd1d7714c675e65f
parent: b633de94131361b28f47aa59d91e3eef49575942 [diff] [blame]
diff --git a/src/forward.c b/src/forward.c
index 47c6ded..1458578 100644
--- a/src/forward.c
+++ b/src/forward.c

@@ -406,7 +406,7 @@
 	}
       
 #ifdef HAVE_DNSSEC
-      if (option_bool(OPT_DNSSEC_VALID))
+      if (option_bool(OPT_DNSSEC_VALID) && !(type & SERV_HAS_DOMAIN))
 	{
 	  size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ);
 	 
@@ -858,7 +858,8 @@
 	no_cache_dnssec = 1;
       
 #ifdef HAVE_DNSSEC
-      if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
+      if (server && !(server->flags & SERV_HAS_DOMAIN) && 
+	  option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
 	{
 	  int status = 0;
commit	5757371d43891e830abe19aacae5378a79c7851c	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Mon Jan 11 22:50:00 2016 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Mon Jan 11 22:50:00 2016 +0000
tree	42e13ce1ae78213d29c97441bd1d7714c675e65f
parent	b633de94131361b28f47aa59d91e3eef49575942 [diff] [blame]