proxy: use dnssec

Mizzick · Mizzick · commit e9286abdcef9 · 2026-04-14T14:07:27.000+07:00
diff --git a/proxy/cache_internal_test.go b/proxy/cache_internal_test.go
@@ -57,6 +57,7 @@ func TestServeCached(t *testing.T) {
 		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
 		TrustedProxies: defaultTrustedProxies,
+		DNSSECEnabled:  true,
 		CacheEnabled:   true,
 	})
 
@@ -374,6 +375,7 @@ func TestCacheExpirationWithTTLOverride(t *testing.T) {
 		},
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 		CacheMinTTL:    20,
 		CacheMaxTTL:    40,
 	})
diff --git a/proxy/pending_test.go b/proxy/pending_test.go
@@ -117,6 +117,7 @@ func TestPendingRequests(t *testing.T) {
 		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		CacheSizeBytes:         testCacheSize,
 		CacheEnabled:           true,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 	})
 	require.NoError(t, err)
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -668,8 +668,14 @@ func (p *Proxy) handleExchangeResult(
 	}
 }
 
-// addDO adds EDNS0 RR if needed and sets DO bit of msg to true.
-func addDO(msg *dns.Msg) {
+// addDO adds EDNS0 RR if needed and sets DO bit of msg to true.  msg must not
+// be nil.
+func (p *Proxy) addDO(msg *dns.Msg) {
+	if !p.DNSSECEnabled {
+		// Do nothing if DNSSEC is disabled in the proxy.
+		return
+	}
+
 	if o := msg.IsEdns0(); o != nil {
 		if !o.Do() {
 			o.SetDo()
@@ -715,7 +721,7 @@ func (p *Proxy) Resolve(ctx context.Context, dctx *DNSContext) (err error) {
 
 		// On cache miss request for DNSSEC from the upstream to cache it
 		// afterwards.
-		addDO(dctx.Req)
+		p.addDO(dctx.Req)
 	}
 
 	var ok bool
@@ -794,6 +800,12 @@ func (p *Proxy) cacheWorks(dctx *DNSContext) (ok bool) {
 		// Don't cache the requests intended for local upstream servers, those
 		// should be fast enough as is.
 		reason = "requested address is private"
+	case !p.DNSSECEnabled && !dctx.doBit:
+		// Don't cache the responses without DNSSEC RRs if DNSSEC is disabled
+		// and DO bit is not set, since those responses may differ from the ones
+		// with DNSSEC RRs and thus may be not the desired result for user.  In
+		// case DNSSEC is enabled in the proxy, the DO bit will be enforced.
+		reason = "dnssec disabled"
 	case dctx.Req.CheckingDisabled:
 		// Also don't lookup the cache for responses with DNSSEC checking
 		// disabled since only validated responses are cached and those may be
diff --git a/proxy/proxy_internal_test.go b/proxy/proxy_internal_test.go
@@ -504,6 +504,7 @@ func TestProxy_Resolve_dnssecCache(t *testing.T) {
 		UpstreamConfig: &UpstreamConfig{Upstreams: []upstream.Upstream{u}},
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 		CacheSizeBytes: defaultCacheSize,
 	})
 
@@ -978,6 +979,7 @@ func TestExchangeCustomUpstreamConfigCache(t *testing.T) {
 		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 	})
 
 	servicetest.RequireRun(t, prx, testTimeout)
@@ -1107,6 +1109,7 @@ func TestECSProxy(t *testing.T) {
 			Upstreams: []upstream.Upstream{u},
 		},
 		TrustedProxies:         defaultTrustedProxies,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 		CacheEnabled:           true,
 	})
@@ -1216,6 +1219,7 @@ func TestECSProxyCacheMinMaxTTL(t *testing.T) {
 		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		UpstreamConfig:         &UpstreamConfig{Upstreams: []upstream.Upstream{u}},
 		TrustedProxies:         defaultTrustedProxies,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 		CacheEnabled:           true,
 		CacheMinTTL:            20,
@@ -1309,6 +1313,7 @@ func TestProxy_Resolve_withOptimisticResolver(t *testing.T) {
 			CacheOptimistic:          true,
 			CacheOptimisticAnswerTTL: testOptimisticTTL,
 			CacheOptimisticMaxAge:    testOptimisticMaxAge,
+			DNSSECEnabled:            true,
 		},
 		logger:          testLogger,
 		pendingRequests: newDefaultPendingRequests(),
diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go
@@ -93,37 +93,50 @@ func TestProxy_Resolve_cache(t *testing.T) {
 		wantCachedWithConf assert.BoolAssertionFunc
 		wantCachedGlobal   assert.BoolAssertionFunc
 		name               string
+		dnssecEnabled      bool
 		prxCacheEnabled    bool
 	}{{
 		customUpstreamConf: nil,
 		wantCachedWithConf: assert.True,
 		wantCachedGlobal:   assert.True,
 		name:               "global_cache",
+		dnssecEnabled:      true,
 		prxCacheEnabled:    true,
 	}, {
 		customUpstreamConf: newCustomUpstreamConfig(ups, true),
 		wantCachedWithConf: assert.True,
 		wantCachedGlobal:   assert.False,
 		name:               "custom_cache",
+		dnssecEnabled:      true,
 		prxCacheEnabled:    false,
 	}, {
 		customUpstreamConf: newCustomUpstreamConfig(ups, false),
 		wantCachedWithConf: assert.False,
 		wantCachedGlobal:   assert.False,
 		name:               "custom_cache_only_upstreams",
+		dnssecEnabled:      true,
 		prxCacheEnabled:    false,
 	}, {
 		customUpstreamConf: newCustomUpstreamConfig(ups, true),
 		wantCachedWithConf: assert.True,
 		wantCachedGlobal:   assert.False,
 		name:               "two_caches_enabled",
+		dnssecEnabled:      true,
 		prxCacheEnabled:    true,
 	}, {
 		customUpstreamConf: nil,
 		wantCachedWithConf: assert.False,
 		wantCachedGlobal:   assert.False,
-		name:               "two_caches_disabled",
+		name:               "proxy_cache_disabled",
+		dnssecEnabled:      true,
 		prxCacheEnabled:    false,
+	}, {
+		customUpstreamConf: nil,
+		wantCachedWithConf: assert.False,
+		wantCachedGlobal:   assert.False,
+		name:               "dnssec_disabled",
+		dnssecEnabled:      false,
+		prxCacheEnabled:    true,
 	}}
 
 	for _, tc := range testCases {
@@ -132,6 +145,7 @@ func TestProxy_Resolve_cache(t *testing.T) {
 				UDPListenAddr:  []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
 				UpstreamConfig: upsConf,
 				CacheEnabled:   tc.prxCacheEnabled,
+				DNSSECEnabled:  tc.dnssecEnabled,
 			})
 			require.NoError(t, err)
 			require.NotNil(t, p)
diff --git a/proxy/proxycache.go b/proxy/proxycache.go
@@ -56,7 +56,7 @@ func (p *Proxy) replyFromCache(d *DNSContext) (hit bool) {
 		}
 		if d.Req != nil {
 			minCtxClone.Req = d.Req.Copy()
-			addDO(minCtxClone.Req)
+			p.addDO(minCtxClone.Req)
 		}
 
 		go p.shortFlighter.resolveOnce(minCtxClone, key, p.logger)

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ func (p Proxy) replyFromCache(d DNSContext) (hit bool) {`
`56`	`56`	`}`
`57`	`57`	`if d.Req != nil {`
`58`	`58`	`minCtxClone.Req = d.Req.Copy()`
`59`		`- addDO(minCtxClone.Req)`
	`59`	`+ p.addDO(minCtxClone.Req)`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`go p.shortFlighter.resolveOnce(minCtxClone, key, p.logger)`