diff core/certmanager.lua @ 14216:2ec517d8d43e

net.unbound: Enable DNSSEC by default with option for turning off You know what they say about opt-in security. Enabling DNSSEC in libunbound without a way to turn it off would likely be a problem for those whose DNS resolvers do not support, or outright block DNSSEC. The merge algorithm already in place here doesn't have a way to unset something, so instead a simpler boolean setting is introduced, similar to some existing ones like use_ipv6/4 and use_dane.
author Kim Alvefur <zash@zash.se>
date Sun, 07 Jun 2026 20:32:55 +0200
parents 4aed38a1c971
children 565debd9c37a
line wrap: on
line diff
--- a/core/certmanager.lua	Sun Jun 07 18:23:24 2026 +0200
+++ b/core/certmanager.lua	Sun Jun 07 20:32:55 2026 +0200
@@ -213,7 +213,7 @@
 		"!3DES",       -- 3DES - slow and of questionable security
 		"!aNULL",      -- Ciphers that does not authenticate the connection
 	};
-	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
+	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" };
 }
 
 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
@@ -384,7 +384,7 @@
 	if tls.features.options.no_compression then
 		core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
 	end
-	if not configmanager.get("*", "use_dane") then
+	if configmanager.get("*", "use_dane") == false then
 		core_defaults.dane = false;
 	elseif tls.features.capabilities.dane then
 		core_defaults.dane = { "no_ee_namechecks" };