changeset 14216:2ec517d8d43e

net.unbound: Enable DNSSEC by default with option for turning off You know what they say about opt-in security. Enabling DNSSEC in libunbound without a way to turn it off would likely be a problem for those whose DNS resolvers do not support, or outright block DNSSEC. The merge algorithm already in place here doesn't have a way to unset something, so instead a simpler boolean setting is introduced, similar to some existing ones like use_ipv6/4 and use_dane.
author Kim Alvefur <zash@zash.se>
date Sun, 07 Jun 2026 20:32:55 +0200
parents 2719dbb358c8
children 565debd9c37a
files CHANGES core/certmanager.lua net/unbound.lua util/prosodyctl/check.lua
diffstat 4 files changed, 21 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES	Sun Jun 07 18:23:24 2026 +0200
+++ b/CHANGES	Sun Jun 07 20:32:55 2026 +0200
@@ -27,6 +27,10 @@
 - mod_mam has a new `archive-query-result` event
 - stanza meta api
 
+## Changes
+
+- DNSSEC support in libunbound enabled by default, requiring root DNSSEC trust anchors
+
 13.0.0
 ======
 
--- a/core/certmanager.lua	Sun Jun 07 18:23:24 2026 +0200
+++ b/core/certmanager.lua	Sun Jun 07 20:32:55 2026 +0200
@@ -213,7 +213,7 @@
 		"!3DES",       -- 3DES - slow and of questionable security
 		"!aNULL",      -- Ciphers that does not authenticate the connection
 	};
-	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
+	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" };
 }
 
 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
@@ -384,7 +384,7 @@
 	if tls.features.options.no_compression then
 		core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
 	end
-	if not configmanager.get("*", "use_dane") then
+	if configmanager.get("*", "use_dane") == false then
 		core_defaults.dane = false;
 	elseif tls.features.capabilities.dane then
 		core_defaults.dane = { "no_ee_namechecks" };
--- a/net/unbound.lua	Sun Jun 07 18:23:24 2026 +0200
+++ b/net/unbound.lua	Sun Jun 07 20:32:55 2026 +0200
@@ -32,13 +32,22 @@
 	resolvconf = true;
 }
 
-local function add_defaults(conf)
+-- Path to file containing current DNSSEC trust anchors, needed to enable DNSSEC.
+-- Packagers: Adjust this path if it is different on your distribution
+local trustfile = "/usr/share/dns/root.ds";
+
+local function add_defaults(conf, use_dnssec)
 	conf = conf or {};
 	for option, default in pairs(builtin_defaults) do
 		if conf[option] == nil then
 			conf[option] = default;
 		end
 	end
+	if use_dnssec ~= false then
+		if conf["trustfile"] == nil and conf["trusted"] == nil then
+			conf["trustfile"] = trustfile;
+		end
+	end
 	for option, default in pairs(libunbound.config) do
 		if conf[option] == nil then
 			conf[option] = default;
@@ -170,10 +179,11 @@
 end
 
 if prosody then
-	local config = require"prosody.core.configmanager";
-	unbound_config = add_defaults(config.get("*", "unbound"));
+	-- TODO move this glue logic into util.startup?
+	local config = require "prosody.core.configmanager";
+	unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec"));
 	prosody.events.add_handler("config-reloaded", function()
-		unbound_config = add_defaults(config.get("*", "unbound"));
+		unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec"));
 		purge();
 	end);
 	prosody.events.add_handler("server-started", initialize);
--- a/util/prosodyctl/check.lua	Sun Jun 07 18:23:24 2026 +0200
+++ b/util/prosodyctl/check.lua	Sun Jun 07 20:32:55 2026 +0200
@@ -468,6 +468,7 @@
 			"trusted_proxies",
 			"umask",
 			"use_dane",
+			"use_dnssec",
 			"use_ipv4",
 			"use_ipv6",
 			"websocket_frame_buffer_limit",