diff mbox series

[Openvpn-devel,v1] dns: minimalist fix for dnssec setting

Message ID 20260430124020.23066-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] dns: minimalist fix for dnssec setting | expand

Commit Message

Gert Doering April 30, 2026, 12:40 p.m. UTC 
From: Selva Nair <selva.nair@gmail.com>

Github: fixes OpenVPN/openvpn#1024

Change-Id: I0cb093e0116e92d874162d51be777aa43674c115
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1644
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1644
This mail reflects revision 1 of this Change.

Signed-off-by line for the author was added as per our policy.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering April 30, 2026, 1:12 p.m. UTC | #1 
Thanks for coming up with a minimal patch quickly, until we have decided
what "we really want there" and "what windows does".

Frank has tested this, and I have fixed my testbed to actually *show* the
problem - we do windows tests, but the way I had set up the "hidden DNS
things that only resolve if --dns is applied correctly" (unbound with a
local zone) was IPSEC-agnostic - if you ask "the authoritative server"
it will always tell you "yeah, all is valid!".  So now we have an unbound
recursor in front of a local bind, with no DNSSEC, and "windows with
dnssec yes" will actually fail to resolve that...  

.. and with your patch, we're back to "the system tests pass", so, good.

(Staring at the change also seems to make sense, but I said so for
the other fix as well... so I'm glad we have good before/after tests
this time)

Your patch has been applied to the master and release/2.7 branch.

commit 919f5ced7d2863d51981979a336407b6e0818fcd (master)
commit 9683e1fe273db94ab92e1da2fe55c7929fa7291a (release/2.7)
Author: Selva Nair
Date:   Thu Apr 30 14:40:14 2026 +0200

     dns: minimalist fix for dnssec setting

     Signed-off-by: Selva Nair <selva.nair@gmail.com>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1644
     Message-Id: <20260430124020.23066-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36797.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index ce23f1f..954ed52 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -442,7 +442,7 @@ 
         .header = { (add ? msg_add_nrpt_cfg : msg_del_nrpt_cfg), sizeof(nrpt_dns_cfg_message_t),
                     0 },
         .iface = { .index = tt->adapter_index, .name = "" },
-        .flags = server->dnssec == DNS_SECURITY_NO ? 0 : nrpt_dnssec,
+        .flags = server->dnssec == DNS_SECURITY_YES ? nrpt_dnssec : 0,
     };
     strncpynt(nrpt.iface.name, tt->actual_name, sizeof(nrpt.iface.name));