[Node-1833] Add optional DNSSEC validation support

ic-bn-lib-common/Cargo.toml

@@ -5,7 +5,7 @@ license.workspace = true
 readme.workspace = true
 keywords.workspace = true
 description = "A collection of traits & types commonly used by ic-bn-lib and others"
-version = "0.1.3"
+version = "0.1.4"
 documentation = "https://docs.rs/ic-bn-lib-common"
 
 [dependencies]

ic-bn-lib-common/src/types/dns.rs

@@ -88,6 +88,7 @@ pub struct Options {
     pub cache_size: usize,
     pub timeout: Duration,
     pub tls_name: String,
+    pub dnssec_disabled: bool,
 }
 
 impl Default for Options {
@@ -99,6 +100,7 @@ impl Default for Options {
             cache_size: 1024,
             timeout: Duration::from_secs(3),
             tls_name: "cloudflare-dns.com".into(),
+            dnssec_disabled: false,
         }
     }
 }
@@ -144,6 +146,10 @@ pub struct DnsCli {
     /// Default is to look up IPv4 and IPv6 in parallel.
     #[clap(env, long, default_value = "ipv4_and_ipv6")]
     pub dns_lookup_strategy: LookupStrategy,
+
+    /// Disable DNSSEC validation for DNS queries (DNSSEC is enabled by default)
+    #[clap(env, long)]
+    pub dns_dnssec_disabled: bool,
 }
 
 impl From<&DnsCli> for Options {
@@ -155,6 +161,7 @@ impl From<&DnsCli> for Options {
             cache_size: c.dns_cache_size,
             timeout: c.dns_timeout,
             tls_name: c.dns_tls_name.clone(),
+            dnssec_disabled: c.dns_dnssec_disabled,
         }
     }
 }

ic-bn-lib/src/http/dns/mod.rs

@@ -59,6 +59,7 @@ impl Resolver {
         opts.ip_strategy = o.lookup_ip_strategy;
         opts.use_hosts_file = ResolveHosts::Never;
         opts.preserve_intermediates = false;
+        opts.validate = !o.dnssec_disabled;
         opts.try_tcp_on_error = true;
 
         let builder = TokioResolver::builder_with_config(cfg, TokioConnectionProvider::default())