Skip to content

[Node-1833] Add optional DNSSEC validation support#77

Merged
shilingwang merged 4 commits intomainfrom
shiling/dnssec-option
Jan 27, 2026
Merged

[Node-1833] Add optional DNSSEC validation support#77
shilingwang merged 4 commits intomainfrom
shiling/dnssec-option

Conversation

@shilingwang
Copy link
Contributor

@shilingwang shilingwang commented Jan 27, 2026
edited
Loading

Summary

  • Adds configurable option to disable DNSSEC validation for DNS queries
  • The dnssec-ring feature was already compiled in dependencies but not being utilized
  • Adds dnssec_disabled field to DNS Options struct (defaults to false)

Motivation

While the dnssec-ring feature is enabled in hickory-resolver dependencies, DNSSEC validation was explicitly disabled by hardcoding preserve_intermediates = false. This change makes DNSSEC validation an opt-out feature (with follow-up change on the preserve_intermediate = true) that users can enable when needed, while maintaining backward compatibility by keeping it disabled by default.

Changes

  1. Added dnssec_disabled: bool field to Options struct in ic-bn-lib-common/src/types/dns.rs

Test Plan

  • All existing unit tests pass
  • Code compiles without errors
  • No linter errors

@shilingwang shilingwang requested a review from a team as a code owner January 27, 2026 10:12
@shilingwang shilingwang changed the title Add optional DNSSEC validation support [Node-1833] Add optional DNSSEC validation support Jan 27, 2026
@shilingwang shilingwang force-pushed the shiling/dnssec-option branch from bfba483 to 3e97ccd Compare January 27, 2026 12:37
@shilingwang
Add dnssec_disabled option to DNS configuration
cc00968 
Add a configurable option to disable DNSSEC validation for DNS queries
in ic-bn-lib-common types. DNSSEC validation is enabled by default.

Changes:
- Add dnssec_disabled field to DNS Options struct (defaults to false)
- Add --dns-dnssec-disabled CLI flag and DNS_DNSSEC_DISABLED env var
- Add field to DnsCli struct and From<&DnsCli> conversion
- DNSSEC is enabled by default, users can opt-out via the flag

This prepares the types for DNSSEC support. The actual usage in the
resolver will be added in a follow-up PR after this is published.
@shilingwang shilingwang force-pushed the shiling/dnssec-option branch from 3e97ccd to cc00968 Compare January 27, 2026 12:41
@shilingwang shilingwang merged commit 43a05e1 into main Jan 27, 2026
6 checks passed
@shilingwang shilingwang deleted the shiling/dnssec-option branch January 27, 2026 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blind-oracle blind-oracle blind-oracle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shilingwang @blind-oracle