From cc81d5636e0d2c9784e823b0cfcb8199e0d3c6fd Mon Sep 17 00:00:00 2001
From: Jorge Aparicio <jorge.aparicio@ferrous-systems.com>
Date: Wed, 24 Apr 2024 19:27:49 +0200
Subject: [PATCH] recursor: set DO in outgoing queries

when the recursor is "security-aware" -- that is the "dnssec" feature is
enabled -- as per RFC 4035 section 3.2.1
---
 crates/proto/src/xfer/dns_handle.rs  | 3 ++-
 crates/proto/src/xfer/dns_request.rs | 3 +++
 crates/recursor/src/lib.rs           | 4 ++++
 crates/recursor/src/recursor_pool.rs | 4 ++--
 crates/server/Cargo.toml             | 2 +-
 5 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/crates/proto/src/xfer/dns_handle.rs b/crates/proto/src/xfer/dns_handle.rs
index d41385e3..874ecc85 100644
--- a/crates/proto/src/xfer/dns_handle.rs
+++ b/crates/proto/src/xfer/dns_handle.rs
@@ -85,7 +85,8 @@ fn build_message(query: Query, options: DnsRequestOptions) -> Message {
             .extensions_mut()
             .get_or_insert_with(Edns::new)
             .set_max_payload(MAX_PAYLOAD_LEN)
-            .set_version(0);
+            .set_version(0)
+            .set_dnssec_ok(options.edns_set_dnssec_ok);
     }
     message
 }
diff --git a/crates/proto/src/xfer/dns_request.rs b/crates/proto/src/xfer/dns_request.rs
index 2d93c9b9..a20a5b60 100644
--- a/crates/proto/src/xfer/dns_request.rs
+++ b/crates/proto/src/xfer/dns_request.rs
@@ -25,6 +25,8 @@ pub struct DnsRequestOptions {
     // TODO: add EDNS options here?
     /// When true, will add EDNS options to the request.
     pub use_edns: bool,
+    /// When true, sets the DO bit in the EDNS options
+    pub edns_set_dnssec_ok: bool,
     /// Specifies maximum request depth for DNSSEC validation.
     pub max_request_depth: usize,
     /// set recursion desired (or not) for any requests
@@ -38,6 +40,7 @@ impl Default for DnsRequestOptions {
             max_request_depth: 26,
             expects_multiple_responses: false,
             use_edns: false,
+            edns_set_dnssec_ok: false,
             recursion_desired: true,
         }
     }
diff --git a/crates/recursor/src/lib.rs b/crates/recursor/src/lib.rs
index 9488b472..c9a4b94f 100644
--- a/crates/recursor/src/lib.rs
+++ b/crates/recursor/src/lib.rs
@@ -35,3 +35,7 @@ pub use hickory_proto as proto;
 pub use hickory_resolver as resolver;
 pub use hickory_resolver::config::NameServerConfig;
 pub use recursor::Recursor;
+
+fn is_security_aware() -> bool {
+    cfg!(feature = "dnssec")
+}
diff --git a/crates/recursor/src/recursor_pool.rs b/crates/recursor/src/recursor_pool.rs
index 2611324c..06abd280 100644
--- a/crates/recursor/src/recursor_pool.rs
+++ b/crates/recursor/src/recursor_pool.rs
@@ -90,8 +90,8 @@ where
                 info!("querying {} for {}", self.zone, query_cpy);
 
                 let mut options = DnsRequestOptions::default();
-                options.use_edns = false; // TODO: this should be configurable
-                options.recursion_desired = false;
+                options.use_edns = crate::is_security_aware();
+                options.edns_set_dnssec_ok = crate::is_security_aware();
 
                 // convert the lookup into a shared future
                 let lookup = ns
diff --git a/crates/server/Cargo.toml b/crates/server/Cargo.toml
index e4da6f82..79c701ff 100644
--- a/crates/server/Cargo.toml
+++ b/crates/server/Cargo.toml
@@ -48,7 +48,7 @@ dnssec-ring = [
     "hickory-proto/dnssec-ring",
     "hickory-resolver/dnssec-ring",
 ]
-dnssec = []
+dnssec = ["hickory-recursor?/dnssec"]
 # Recursive Resolution is Experimental!
 recursor = ["hickory-recursor"]
 resolver = ["hickory-resolver"]