summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.h')
-rw-r--r--src/resolve/resolved-dns-dnssec.h11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
index 9ad20c8c69..d7aecbce13 100644
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -32,7 +32,14 @@ enum DnssecMode {
/* No DNSSEC validation is done */
DNSSEC_NO,
- /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
+ /* Validate locally, if the server knows DO, but if not,
+ * don't. Don't trust the AD bit. If the server doesn't do
+ * DNSSEC properly, downgrade to non-DNSSEC operation. Of
+ * course, we then are vulnerable to a downgrade attack, but
+ * that's life and what is configured. */
+ DNSSEC_DOWNGRADE_OK,
+
+ /* Insist on DNSSEC server support, and rather fail than downgrading. */
DNSSEC_YES,
_DNSSEC_MODE_MAX,
@@ -54,6 +61,8 @@ enum DnssecResult {
DNSSEC_UNSIGNED,
DNSSEC_FAILED_AUXILIARY,
DNSSEC_NSEC_MISMATCH,
+ DNSSEC_INCOMPATIBLE_SERVER,
+
_DNSSEC_RESULT_MAX,
_DNSSEC_RESULT_INVALID = -1
};
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-25 14:08:47 +0000