Change default for dnssec-check-unsigned.
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index ce44809..38d1dd3 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -768,7 +768,10 @@
_exit(0);
}
- my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+ if (option_bool(OPT_DNSSEC_IGN_NS))
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled but all unsigned answers are trusted"));
+ else
+ my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index ff7172f..9443405 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -241,7 +241,7 @@
#define OPT_DNSSEC_VALID 45
#define OPT_DNSSEC_TIME 46
#define OPT_DNSSEC_DEBUG 47
-#define OPT_DNSSEC_NO_SIGN 48
+#define OPT_DNSSEC_IGN_NS 48
#define OPT_LOCAL_SERVICE 49
#define OPT_LOOP_DETECT 50
#define OPT_EXTRALOG 51
diff --git a/src/forward.c b/src/forward.c
index cdd11d3..d32d0d8 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -919,7 +919,7 @@
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
else
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class,
- option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
+ !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
NULL, NULL);
}
@@ -1504,7 +1504,7 @@
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
else
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class,
- option_bool(OPT_DNSSEC_NO_SIGN) && (server->flags & SERV_DO_DNSSEC),
+ !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC),
NULL, NULL);
if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY)
diff --git a/src/option.c b/src/option.c
index 2667f5b..65df93a 100644
--- a/src/option.c
+++ b/src/option.c
@@ -311,7 +311,7 @@
{ "dnssec", 0, 0, LOPT_SEC_VALID },
{ "trust-anchor", 1, 0, LOPT_TRUST_ANCHOR },
{ "dnssec-debug", 0, 0, LOPT_DNSSEC_DEBUG },
- { "dnssec-check-unsigned", 0, 0, LOPT_DNSSEC_CHECK },
+ { "dnssec-check-unsigned", 2, 0, LOPT_DNSSEC_CHECK },
{ "dnssec-no-timecheck", 0, 0, LOPT_DNSSEC_TIME },
{ "dnssec-timestamp", 1, 0, LOPT_DNSSEC_STAMP },
#ifdef OPTION6_PREFIX_CLASS
@@ -484,7 +484,7 @@
{ LOPT_SEC_VALID, OPT_DNSSEC_VALID, NULL, gettext_noop("Activate DNSSEC validation"), NULL },
{ LOPT_TRUST_ANCHOR, ARG_DUP, "<domain>,[<class>],...", gettext_noop("Specify trust anchor key digest."), NULL },
{ LOPT_DNSSEC_DEBUG, OPT_DNSSEC_DEBUG, NULL, gettext_noop("Disable upstream checking for DNSSEC debugging."), NULL },
- { LOPT_DNSSEC_CHECK, OPT_DNSSEC_NO_SIGN, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL },
+ { LOPT_DNSSEC_CHECK, ARG_DUP, NULL, gettext_noop("Ensure answers without DNSSEC are in unsigned zones."), NULL },
{ LOPT_DNSSEC_TIME, OPT_DNSSEC_TIME, NULL, gettext_noop("Don't check DNSSEC signature timestamps until first cache-reload"), NULL },
{ LOPT_DNSSEC_STAMP, ARG_ONE, "<path>", gettext_noop("Timestamp file to verify system clock for DNSSEC"), NULL },
#ifdef OPTION6_PREFIX_CLASS
@@ -4139,6 +4139,16 @@
daemon->timestamp_file = opt_string_alloc(arg);
break;
+ case LOPT_DNSSEC_CHECK:
+ if (arg)
+ {
+ if (strcmp(arg, "no") == 0)
+ set_option_bool(OPT_DNSSEC_IGN_NS);
+ else
+ ret_err(_("bad value for dnssec-check-unsigned"));
+ }
+ break;
+
case LOPT_TRUST_ANCHOR:
{
struct ds_config *new = opt_malloc(sizeof(struct ds_config));