[Fix] Make dnssec configurable option disabled by default for now

contrib/librdns/dns_private.h

@@ -125,6 +125,7 @@ struct rdns_resolver {
 
 	bool async_binded;
 	bool initialized;
+	bool enable_dnssec;
 	ref_entry_t ref;
 };
 

contrib/librdns/packet.c

@@ -268,7 +268,12 @@ rdns_add_edns0 (struct rdns_request *req)
 	*p16++ = 0;
 	/* Z 10000000 00000000 to allow dnssec */
 	p8 = (uint8_t *)p16;
-	*p8++ = 0x80;
+	if (req->resolver->enable_dnssec) {
+		*p8++ = 0x80;
+	}
+	else {
+		*p8++ = 0x00;
+	}
 	*p8++ = 0;
 	p16 = (uint16_t *)p8;
 	/* Length */

contrib/librdns/rdns.h

@@ -236,6 +236,12 @@ struct rdns_resolver *rdns_resolver_new (void);
 void rdns_resolver_async_bind (struct rdns_resolver *resolver,
 		struct rdns_async_context *ctx);
 
+/**
+ * Enable stub dnssec resolver
+ * @param resolver
+ */
+void rdns_resolver_set_dnssec (struct rdns_resolver *resolver, bool enabled);
+
 /**
  * Add new DNS server definition to the resolver
  * @param resolver resolver object

contrib/librdns/resolver.c

@@ -853,3 +853,11 @@ rdns_resolver_async_bind (struct rdns_resolver *resolver,
 		resolver->async_binded = true;
 	}
 }
+
+void
+rdns_resolver_set_dnssec (struct rdns_resolver *resolver, bool enabled)
+{
+	if (resolver) {
+		resolver->enable_dnssec = enabled;
+	}
+}

src/libserver/cfg_file.h

@@ -383,6 +383,7 @@ struct rspamd_config {
 	guint32 dns_io_per_server;                      /**< number of sockets per DNS server					*/
 	const ucl_object_t *nameservers;                /**< list of nameservers or NULL to parse resolv.conf	*/
 	guint32 dns_max_requests;                       /**< limit of DNS requests per task 					*/
+	gboolean enable_dnssec;                         /**< enable dnssec stub resolver						*/
 
 	guint upstream_max_errors;						/**< upstream max errors before shutting off			*/
 	gdouble upstream_error_time;					/**< rate of upstream errors							*/

src/libserver/cfg_rcl.c

@@ -2015,6 +2015,12 @@ rspamd_rcl_config_init (struct rspamd_config *cfg)
 			G_STRUCT_OFFSET (struct rspamd_config, dns_io_per_server),
 			RSPAMD_CL_FLAG_INT_32,
 			"Number of sockets per DNS server");
+	rspamd_rcl_add_default_handler (ssub,
+			"enable_dnssec",
+			rspamd_rcl_parse_struct_boolean,
+			G_STRUCT_OFFSET (struct rspamd_config, enable_dnssec),
+			0,
+			"Enable DNSSEC support in Rspamd");
 
 
 	/* New upstreams configuration */

src/libserver/dns.c

@@ -244,6 +244,7 @@ dns_resolver_init (rspamd_logger_t *logger,
 	if (cfg != NULL) {
 		rdns_resolver_set_log_level (dns_resolver->r, cfg->log_level);
 		dns_resolver->cfg = cfg;
+		rdns_resolver_set_dnssec (dns_resolver->r, cfg->enable_dnssec);
 	}
 
 	rdns_resolver_set_logger (dns_resolver->r, rspamd_rnds_log_bridge, logger);