1 files changed, 23 insertions, 0 deletions

diff --git a/src/shared/resolve-util.h b/src/shared/resolve-util.h
index e585c5024f..fd93a13f73 100644
--- a/src/shared/resolve-util.h
+++ b/src/shared/resolve-util.h
@@ -24,6 +24,7 @@
 #include "macro.h"
 
 typedef enum ResolveSupport ResolveSupport;
+typedef enum DnssecMode DnssecMode;
 
 enum ResolveSupport {
         RESOLVE_SUPPORT_NO,
@@ -33,7 +34,29 @@ enum ResolveSupport {
         _RESOLVE_SUPPORT_INVALID = -1
 };
 
+enum DnssecMode {
+        /* No DNSSEC validation is done */
+        DNSSEC_NO,
+
+        /* Validate locally, if the server knows DO, but if not,
+         * don't. Don't trust the AD bit. If the server doesn't do
+         * DNSSEC properly, downgrade to non-DNSSEC operation. Of
+         * course, we then are vulnerable to a downgrade attack, but
+         * that's life and what is configured. */
+        DNSSEC_ALLOW_DOWNGRADE,
+
+        /* Insist on DNSSEC server support, and rather fail than downgrading. */
+        DNSSEC_YES,
+
+        _DNSSEC_MODE_MAX,
+        _DNSSEC_MODE_INVALID = -1
+};
+
 int config_parse_resolve_support(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_dnssec_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
 
 const char* resolve_support_to_string(ResolveSupport p) _const_;
 ResolveSupport resolve_support_from_string(const char *s) _pure_;
+
+const char* dnssec_mode_to_string(DnssecMode p) _const_;
+DnssecMode dnssec_mode_from_string(const char *s) _pure_;