[PR #2451] [MERGED] SignSettings: rm use_dnssec field #3053

New issue

Closed

opened 2026-03-16 11:22:35 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:22:35 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2451
Author: @japaric
Created: 9/12/2024
Status: ✅ Merged
Merged: 9/16/2024
Merged by: @pvdrz

Base: main ← Head: ja-signsettings-rm-use_dnssec

📝 Commits (1)

1cbfaba SignSettings: rm use_dnssec field

📊 Changes

2 files changed (+2 additions, -16 deletions)

View changed files

📝 conformance/packages/conformance-tests/src/name_server/rfc5155.rs (+1 -5)
📝 conformance/packages/dns-test/src/zone_file/signer.rs (+1 -11)

📄 Description

if the zone is being signed then DNSSEC has to be enabled as RRSIG are DNSSEC records.

I understand that Config::Nameserver.use_dnssec is being used to enable runtime signing in hickory but not enabling that when SignSettings is used would lead to a situation where other SUBJECTs (e.g. unbound) are signing their zones and hickory is not which would be a wrongly set up test.

also, to me it seems that Config::Nameserver.use_dnssec should have type Option<SignSettings> (and be called something else) and that Implementation::format_config should panic if settings not supported by hickory are used, e.g. opt-out maybe?

r? @pvdrz

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2451 **Author:** [@japaric](https://github.com/japaric) **Created:** 9/12/2024 **Status:** ✅ Merged **Merged:** 9/16/2024 **Merged by:** [@pvdrz](https://github.com/pvdrz) **Base:** `main` ← **Head:** `ja-signsettings-rm-use_dnssec` --- ### 📝 Commits (1) - [`1cbfaba`](https://github.com/hickory-dns/hickory-dns/commit/1cbfabacf5d431ae5c7d1f089f7baf2f34e73c86) SignSettings: rm use_dnssec field ### 📊 Changes **2 files changed** (+2 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/conformance-tests/src/name_server/rfc5155.rs` (+1 -5) 📝 `conformance/packages/dns-test/src/zone_file/signer.rs` (+1 -11) </details> ### 📄 Description if the zone is being signed then DNSSEC has to be enabled as RRSIG are DNSSEC records. I understand that `Config::Nameserver.use_dnssec` is being used to enable runtime signing in hickory but *not* enabling that when `SignSettings` is used would lead to a situation where other `SUBJECT`s (e.g. unbound) are signing their zones and hickory is not which would be a wrongly set up test. also, to me it seems that `Config::Nameserver.use_dnssec` should have type `Option<SignSettings>` (and be called something else) and that `Implementation::format_config` should panic if settings not supported by hickory are used, e.g. opt-out maybe? r? @pvdrz --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>