Pull request: AGDNS-3870-imp-dnssec

Merge in GO/dnsproxy from AGDNS-3870-imp-dnssec to master

Squashed commit of the following:

commit feaf325
Merge: 34d56aa 97cddca
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 23 08:24:07 2026 +0700

    Merge remote-tracking branch 'origin/master'

commit 34d56aa
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 16 09:16:46 2026 +0700

    all: imp yaml conf

commit 7e88ee1
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 15 10:24:32 2026 +0700

    cmd: imp code

commit e9286ab
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 14 14:07:27 2026 +0700

    proxy: use dnssec

commit 3171cb4
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Mon Apr 13 13:12:35 2026 +0700

    all: add dnssec conf

Author: Mizzick

README.md

@@ -63,6 +63,8 @@ Usage of ./dnsproxy:
         Cache size (in bytes). Default: 64k.
   --config-path=path
         YAML configuration file. Minimal working configuration in config.yaml.dist. Options passed through command line will override the ones from this file.
+  --dnssec
+        Defines whether the proxy should set the DO bits in the upstream requests.  Default: true.
   --doh-insecure-enabled
         If specified, the DoH server will skip TLS certificate verification.
   --doh-routes

config.yaml.dist

@@ -6,6 +6,9 @@
 ---
 bootstrap:
   - "8.8.8.8:53"
+# DNSSEC validation is enabled by default, if you want to disable it set it to
+# false.
+dnssec: true
 listen-addrs:
   - "0.0.0.0"
 listen-ports:

internal/cmd/args.go

@@ -69,6 +69,7 @@ const (
 	usePrivateRDNSIdx
 	dohRoutesIdx
 	dohInsecureEnabledIdx
+	dnssecEnabledIdx
 )
 
 // commandLineOption contains information about a command-line option: its long
@@ -419,6 +420,12 @@ var commandLineOptions = []*commandLineOption{
 		short:       "",
 		valueType:   "",
 	},
+	dnssecEnabledIdx: {
+		description: "Defines whether the proxy should set the DO bits in the upstream requests.",
+		long:        "dnssec",
+		short:       "",
+		valueType:   "",
+	},
 }
 
 // parseCmdLineOptions parses the command-line options.  conf must not be nil.
@@ -480,6 +487,7 @@ func parseCmdLineOptions(conf *configuration) (err error) {
 		usePrivateRDNSIdx:           &conf.UsePrivateRDNS,
 		dohRoutesIdx:                &conf.DoHRoutes,
 		dohInsecureEnabledIdx:       &conf.DoHInsecureEnabled,
+		dnssecEnabledIdx:            &conf.DNSSECEnabled,
 	} {
 		addOption(flags, fieldPtr, commandLineOptions[i])
 	}

internal/cmd/config.go

@@ -194,6 +194,10 @@ type configuration struct {
 	// RefuseAny makes the server to refuse requests of type ANY.
 	RefuseAny bool `yaml:"refuse-any"`
 
+	// DNSSECEnabled defines whether the proxy should set the DO bits in the
+	// upstream requests.
+	DNSSECEnabled bool `yaml:"dnssec"`
+
 	// EnableEDNSSubnet uses EDNS Client Subnet extension.
 	EnableEDNSSubnet bool `yaml:"edns"`
 
@@ -223,6 +227,7 @@ func parseConfig() (conf *configuration, exitCode int, err error) {
 		OptimisticMaxAge:       timeutil.Duration(proxy.DefaultOptimisticMaxAge),
 		RatelimitSubnetLenIPv4: 24,
 		RatelimitSubnetLenIPv6: 56,
+		DNSSECEnabled:          true,
 		HostsFileEnabled:       true,
 		PendingRequestsEnabled: true,
 	}

internal/cmd/proxy.go

@@ -98,6 +98,7 @@ func createProxyConfig(
 			netip.MustParsePrefix("0.0.0.0/0"),
 			netip.MustParsePrefix("::0/0"),
 		},
+		DNSSECEnabled:          conf.DNSSECEnabled,
 		EnableEDNSClientSubnet: conf.EnableEDNSSubnet,
 		UDPBufferSize:          conf.UDPBufferSize,
 		MaxGoroutines:          conf.MaxGoRoutines,

proxy/cache_internal_test.go

@@ -57,6 +57,7 @@ func TestServeCached(t *testing.T) {
 		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
 		TrustedProxies: defaultTrustedProxies,
+		DNSSECEnabled:  true,
 		CacheEnabled:   true,
 	})
 
@@ -374,6 +375,7 @@ func TestCacheExpirationWithTTLOverride(t *testing.T) {
 		},
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 		CacheMinTTL:    20,
 		CacheMaxTTL:    40,
 	})

proxy/config.go

@@ -178,6 +178,10 @@ type Config struct {
 	// RefuseAny makes proxy refuse the requests of type ANY.
 	RefuseAny bool
 
+	// DNSSECEnabled specifies if the proxy should set the DO bits in the
+	// upstream requests.
+	DNSSECEnabled bool
+
 	// Enable EDNS Client Subnet option DNS requests to the upstream server will
 	// contain an OPT record with Client Subnet option.  If the original request
 	// already has this option set, we pass it through as is.  Otherwise, we set

proxy/pending_test.go

@@ -117,6 +117,7 @@ func TestPendingRequests(t *testing.T) {
 		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		CacheSizeBytes:         testCacheSize,
 		CacheEnabled:           true,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 	})
 	require.NoError(t, err)

proxy/proxy.go

@@ -668,8 +668,14 @@ func (p *Proxy) handleExchangeResult(
 	}
 }
 
-// addDO adds EDNS0 RR if needed and sets DO bit of msg to true.
-func addDO(msg *dns.Msg) {
+// addDO adds EDNS0 RR if needed and sets DO bit of msg to true.  msg must not
+// be nil.
+func (p *Proxy) addDO(msg *dns.Msg) {
+	if !p.DNSSECEnabled {
+		// Do nothing if DNSSEC is disabled in the proxy.
+		return
+	}
+
 	if o := msg.IsEdns0(); o != nil {
 		if !o.Do() {
 			o.SetDo()
@@ -715,7 +721,7 @@ func (p *Proxy) Resolve(ctx context.Context, dctx *DNSContext) (err error) {
 
 		// On cache miss request for DNSSEC from the upstream to cache it
 		// afterwards.
-		addDO(dctx.Req)
+		p.addDO(dctx.Req)
 	}
 
 	var ok bool
@@ -794,6 +800,12 @@ func (p *Proxy) cacheWorks(dctx *DNSContext) (ok bool) {
 		// Don't cache the requests intended for local upstream servers, those
 		// should be fast enough as is.
 		reason = "requested address is private"
+	case !p.DNSSECEnabled && !dctx.doBit:
+		// Don't cache the responses without DNSSEC RRs if DNSSEC is disabled
+		// and DO bit is not set, since those responses may differ from the ones
+		// with DNSSEC RRs and thus may be not the desired result for user.  In
+		// case DNSSEC is enabled in the proxy, the DO bit will be enforced.
+		reason = "dnssec disabled"
 	case dctx.Req.CheckingDisabled:
 		// Also don't lookup the cache for responses with DNSSEC checking
 		// disabled since only validated responses are cached and those may be

proxy/proxy_internal_test.go

@@ -504,6 +504,7 @@ func TestProxy_Resolve_dnssecCache(t *testing.T) {
 		UpstreamConfig: &UpstreamConfig{Upstreams: []upstream.Upstream{u}},
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 		CacheSizeBytes: defaultCacheSize,
 	})
 
@@ -978,6 +979,7 @@ func TestExchangeCustomUpstreamConfigCache(t *testing.T) {
 		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
 		TrustedProxies: defaultTrustedProxies,
 		CacheEnabled:   true,
+		DNSSECEnabled:  true,
 	})
 
 	servicetest.RequireRun(t, prx, testTimeout)
@@ -1107,6 +1109,7 @@ func TestECSProxy(t *testing.T) {
 			Upstreams: []upstream.Upstream{u},
 		},
 		TrustedProxies:         defaultTrustedProxies,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 		CacheEnabled:           true,
 	})
@@ -1216,6 +1219,7 @@ func TestECSProxyCacheMinMaxTTL(t *testing.T) {
 		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 		UpstreamConfig:         &UpstreamConfig{Upstreams: []upstream.Upstream{u}},
 		TrustedProxies:         defaultTrustedProxies,
+		DNSSECEnabled:          true,
 		EnableEDNSClientSubnet: true,
 		CacheEnabled:           true,
 		CacheMinTTL:            20,
@@ -1309,6 +1313,7 @@ func TestProxy_Resolve_withOptimisticResolver(t *testing.T) {
 			CacheOptimistic:          true,
 			CacheOptimisticAnswerTTL: testOptimisticTTL,
 			CacheOptimisticMaxAge:    testOptimisticMaxAge,
+			DNSSECEnabled:            true,
 		},
 		logger:          testLogger,
 		pendingRequests: newDefaultPendingRequests(),