Mercurial > prosody-hg
changeset 14216:2ec517d8d43e
net.unbound: Enable DNSSEC by default with option for turning off
You know what they say about opt-in security.
Enabling DNSSEC in libunbound without a way to turn it off would likely
be a problem for those whose DNS resolvers do not support, or outright
block DNSSEC. The merge algorithm already in place here doesn't have a
way to unset something, so instead a simpler boolean setting is
introduced, similar to some existing ones like use_ipv6/4 and use_dane.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 07 Jun 2026 20:32:55 +0200 |
| parents | 2719dbb358c8 |
| children | 565debd9c37a |
| files | CHANGES core/certmanager.lua net/unbound.lua util/prosodyctl/check.lua |
| diffstat | 4 files changed, 21 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES Sun Jun 07 18:23:24 2026 +0200 +++ b/CHANGES Sun Jun 07 20:32:55 2026 +0200 @@ -27,6 +27,10 @@ - mod_mam has a new `archive-query-result` event - stanza meta api +## Changes + +- DNSSEC support in libunbound enabled by default, requiring root DNSSEC trust anchors + 13.0.0 ======
--- a/core/certmanager.lua Sun Jun 07 18:23:24 2026 +0200 +++ b/core/certmanager.lua Sun Jun 07 20:32:55 2026 +0200 @@ -213,7 +213,7 @@ "!3DES", -- 3DES - slow and of questionable security "!aNULL", -- Ciphers that does not authenticate the connection }; - dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; + dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" }; } -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 @@ -384,7 +384,7 @@ if tls.features.options.no_compression then core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; end - if not configmanager.get("*", "use_dane") then + if configmanager.get("*", "use_dane") == false then core_defaults.dane = false; elseif tls.features.capabilities.dane then core_defaults.dane = { "no_ee_namechecks" };
--- a/net/unbound.lua Sun Jun 07 18:23:24 2026 +0200 +++ b/net/unbound.lua Sun Jun 07 20:32:55 2026 +0200 @@ -32,13 +32,22 @@ resolvconf = true; } -local function add_defaults(conf) +-- Path to file containing current DNSSEC trust anchors, needed to enable DNSSEC. +-- Packagers: Adjust this path if it is different on your distribution +local trustfile = "/usr/share/dns/root.ds"; + +local function add_defaults(conf, use_dnssec) conf = conf or {}; for option, default in pairs(builtin_defaults) do if conf[option] == nil then conf[option] = default; end end + if use_dnssec ~= false then + if conf["trustfile"] == nil and conf["trusted"] == nil then + conf["trustfile"] = trustfile; + end + end for option, default in pairs(libunbound.config) do if conf[option] == nil then conf[option] = default; @@ -170,10 +179,11 @@ end if prosody then - local config = require"prosody.core.configmanager"; - unbound_config = add_defaults(config.get("*", "unbound")); + -- TODO move this glue logic into util.startup? + local config = require "prosody.core.configmanager"; + unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec")); prosody.events.add_handler("config-reloaded", function() - unbound_config = add_defaults(config.get("*", "unbound")); + unbound_config = add_defaults(config.get("*", "unbound"), config.get("*", "use_dnssec")); purge(); end); prosody.events.add_handler("server-started", initialize);
