From 9c47b334445a2560a56def4f77e2c1fe1f7c965d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 4 Mar 2024 18:49:49 +0100
Subject: [PATCH] resolved: enable DNS proxy mode if client wants DNSSEC

So far we disabled DNSSEC if local clients asked for it via DO flag if
DNSSEC=no is set. Let's instead switch to proxy mode in this case, and
thus treat client requested DO mode as a way to force proxy mode.

This means DNSSEC=no just controls whether resolved will do validation
for regular looups, but it has no effect anymore on lookups from clients
that indicated they want to do their own DNSSEC anyway.

Fixes: #19227 #23737 #25105
---
 src/resolve/resolved-dns-stub.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
index 3748496cf96..87f7aab6e93 100644
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -958,8 +958,8 @@ static void dns_stub_process_query(Manager *m, DnsStubListenerExtra *l, DnsStrea
                 log_debug("Got request to DNS proxy address 127.0.0.54, enabling bypass logic.");
                 bypass = true;
                 protocol_flags = SD_RESOLVED_DNS|SD_RESOLVED_NO_ZONE; /* Turn off mDNS/LLMNR for proxy stub. */
-        } else if ((DNS_PACKET_DO(p) && DNS_PACKET_CD(p))) {
-                log_debug("Got request with DNSSEC checking disabled, enabling bypass logic.");
+        } else if (DNS_PACKET_DO(p)) {
+                log_debug("Got request with DNSSEC enabled, enabling bypass logic.");
                 bypass = true;
         }