resolved: permit dnssec rrtype questions when we aren't validating

This check introduced in 91adc4db33f6 is intended to spare us from encountering broken resolver behavior we don't want to deal with. However if we aren't validating we more than likely don't know the state of the upstream resolver's support for dnssec. Let's let clients try these queries if they want. This brings the behavior of sd-resolved in-line with previouly stated change in the meaning of DNSSEC=no, which now means "don't validate" rather than "don't validate, because the upstream resolver is declared to be dnssec-unaware". Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
2025-05-29 01:05:59 +03:00 · 2024-03-08 13:40:08 -07:00 · 2024-03-08 13:40:08 -07:00 · 364c948707
commit 364c948707
parent 707890d4ff
1 changed files with 0 additions and 3 deletions
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
        if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
                return true;

-        if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
-                return false;
-
        if (server->packet_bad_opt)
                return false;