# HG changeset patch # User Kim Alvefur # Date 1780857175 -7200 # Node ID 2ec517d8d43e59900e6fa5553247e62243d9667e # Parent 2719dbb358c899a2383c3083651f7db5b83f947f net.unbound: Enable DNSSEC by default with option for turning off You know what they say about opt-in security. Enabling DNSSEC in libunbound without a way to turn it off would likely be a problem for those whose DNS resolvers do not support, or outright block DNSSEC. The merge algorithm already in place here doesn't have a way to unset something, so instead a simpler boolean setting is introduced, similar to some existing ones like use_ipv6/4 and use_dane. diff -r 2719dbb358c8 -r 2ec517d8d43e CHANGES --- a/CHANGES Sun Jun 07 18:23:24 2026 +0200 +++ b/CHANGES Sun Jun 07 20:32:55 2026 +0200 @@ -27,6 +27,10 @@ - mod_mam has a new `archive-query-result` event - stanza meta api +## Changes + +- DNSSEC support in libunbound enabled by default, requiring root DNSSEC trust anchors + 13.0.0 ====== diff -r 2719dbb358c8 -r 2ec517d8d43e core/certmanager.lua --- a/core/certmanager.lua Sun Jun 07 18:23:24 2026 +0200 +++ b/core/certmanager.lua Sun Jun 07 20:32:55 2026 +0200 @@ -213,7 +213,7 @@ "!3DES", -- 3DES - slow and of questionable security "!aNULL", -- Ciphers that does not authenticate the connection }; - dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; + dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" }; } -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 @@ -384,7 +384,7 @@ if tls.features.options.no_compression then core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; end - if not configmanager.get("*", "use_dane") then + if configmanager.get("*", "use_dane") == false then core_defaults.dane = false; elseif tls.features.capabilities.dane then core_defaults.dane = { "no_ee_namechecks" }; diff -r 2719dbb358c8 -r 2ec517d8d43e net/unbound.lua --- a/net/unbound.lua Sun Jun 07 18:23:24 2026 +0200 +++ b/net/unbound.lua Sun Jun 07 20:32:55 2026 +0200 @@ -32,13 +32,22 @@ resolvconf = true; } -local function add_defaults(conf) +-- Path to file containing current DNSSEC trust anchors, needed to enable DNSSEC. +-- Packagers: Adjust this path if it is different on your distribution +local trustfile = "/usr/share/dns/root.ds"; + +local function add_defaults(conf, use_dnssec) conf = conf or {}; for option, default in pairs(builtin_defaults) do if conf[option] == nil then conf[option] = default; end end + if use_dnssec ~= false then + if conf["trustfile"] == nil and conf["trusted"] == nil then + conf["trustfile"] = trustfile; + end + end for option, default in pairs(libunbound.config) do if conf[option] == nil then conf[option] = default; @@ -170,10 +179,11 @@ end if prosody then - local config = require"prosody.core.configmanager"; - unbound_config = add_defaults(config.get("*", "unbound")); + -- TODO move this glue logic into util.startup? + local config = require "prosody.core.configmanager"; + unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec")); prosody.events.add_handler("config-reloaded", function() - unbound_config = add_defaults(config.get("*", "unbound")); + unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec")); purge(); end); prosody.events.add_handler("server-started", initialize); diff -r 2719dbb358c8 -r 2ec517d8d43e util/prosodyctl/check.lua --- a/util/prosodyctl/check.lua Sun Jun 07 18:23:24 2026 +0200 +++ b/util/prosodyctl/check.lua Sun Jun 07 20:32:55 2026 +0200 @@ -468,6 +468,7 @@ "trusted_proxies", "umask", "use_dane", + "use_dnssec", "use_ipv4", "use_ipv6", "websocket_frame_buffer_limit",