recursor: set DO in outgoing queries

when the recursor is "security-aware" -- that is the "dnssec" feature is enabled -- as per RFC 4035 section 3.2.1
hickory-dns · Apr 25, 2024 · 3b82815 · 3b82815
1 parent 6334a01
commit 3b82815
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 4 deletions.
diff --git a/crates/proto/src/xfer/dns_handle.rs b/crates/proto/src/xfer/dns_handle.rs
@@ -85,7 +85,8 @@ fn build_message(query: Query, options: DnsRequestOptions) -> Message {
             .extensions_mut()
             .get_or_insert_with(Edns::new)
             .set_max_payload(MAX_PAYLOAD_LEN)
-            .set_version(0);
+            .set_version(0)
+            .set_dnssec_ok(options.edns_set_dnssec_ok);
     }
     message
 }
diff --git a/crates/proto/src/xfer/dns_request.rs b/crates/proto/src/xfer/dns_request.rs
@@ -25,6 +25,8 @@ pub struct DnsRequestOptions {
     // TODO: add EDNS options here?
     /// When true, will add EDNS options to the request.
     pub use_edns: bool,
+    /// When true, sets the DO bit in the EDNS options
+    pub edns_set_dnssec_ok: bool,
     /// Specifies maximum request depth for DNSSEC validation.
     pub max_request_depth: usize,
     /// set recursion desired (or not) for any requests
@@ -38,6 +40,7 @@ impl Default for DnsRequestOptions {
             max_request_depth: 26,
             expects_multiple_responses: false,
             use_edns: false,
+            edns_set_dnssec_ok: false,
             recursion_desired: true,
         }
     }

diff --git a/crates/recursor/src/recursor_pool.rs b/crates/recursor/src/recursor_pool.rs
@@ -90,8 +90,9 @@ where
                 info!("querying {} for {}", self.zone, query_cpy);
 
                 let mut options = DnsRequestOptions::default();
-                options.use_edns = false; // TODO: this should be configurable
-                options.recursion_desired = false;
+                let is_security_aware = cfg!(feature = "dnssec");
+                options.use_edns = is_security_aware;
+                options.edns_set_dnssec_ok = is_security_aware;
 
                 // convert the lookup into a shared future
                 let lookup = ns

diff --git a/crates/server/Cargo.toml b/crates/server/Cargo.toml
@@ -48,7 +48,7 @@ dnssec-ring = [
     "hickory-proto/dnssec-ring",
     "hickory-resolver/dnssec-ring",
 ]
-dnssec = []
+dnssec = ["hickory-recursor?/dnssec"]
 # Recursive Resolution is Experimental!
 recursor = ["hickory-recursor"]
 resolver = ["hickory-resolver"]