Pull request: AGDNS-3870-imp-dnssec

Squashed commit of the following:

commit 0daffc4
Merge: b75c382 b08e587
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 23 17:04:08 2026 +0700

    Merge remote-tracking branch 'origin/master' into AGDNS-3870-imp-dnssec

commit b75c382
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 23 17:02:23 2026 +0700

    all: upd dnsproxy

commit c9c133b
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Thu Apr 23 10:39:15 2026 +0700

    docs: upd changelog

commit cbd9d3b
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 22 09:42:37 2026 +0700

    docs: upd changelog

commit c7f204f
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 21 11:54:02 2026 +0700

    docs: upd changelog

commit 1036e32
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 21 11:23:47 2026 +0700

    home: dnssec default

commit c043669
Merge: c8eb814 9e153fb
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Tue Apr 21 11:09:37 2026 +0700

    Merge remote-tracking branch 'origin/master' into AGDNS-3870-imp-dnssec

commit c8eb814
Author: Dimitry Kolyshev <dkolyshev@adguard.com>
Date:   Wed Apr 15 11:41:11 2026 +0700

    all: upd dnsproxy

Author: Mizzick

CHANGELOG.md

@@ -18,10 +18,16 @@ See also the [v0.107.75 GitHub milestone][ms-v0.107.75].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Changed
+
+- `enable_dnssec` in `dns` configuration now defines whether the proxy should set the DO flag in the upstream requests, the default is `true` ([#7046]).
+
 ### Fixed
 
 - Safe Browsing and Parental Control labels on the General Settings page not updating after changing the UI language.
 
+[#7046]: https://github.com/AdguardTeam/AdGuardHome/issues/7046
+
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
 -->

go.mod

@@ -3,7 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.26.2
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.81.1
+	github.com/AdguardTeam/dnsproxy v0.81.2
 	github.com/AdguardTeam/golibs v0.35.11
 	github.com/AdguardTeam/urlfilter v0.23.2
 	github.com/NYTimes/gziphandler v1.1.1

go.sum

@@ -4,8 +4,8 @@ cloud.google.com/go/auth v0.20.0 h1:kXTssoVb4azsVDoUiF8KvxAqrsQcQtB53DcSgta74CA=
 cloud.google.com/go/auth v0.20.0/go.mod h1:942/yi/itH1SsmpyrbnTMDgGfdy2BUqIKyd0cyYLc5Q=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-github.com/AdguardTeam/dnsproxy v0.81.1 h1:LM0JYsm3tMRVbJAtjbPcZ9vVmWV9NDmpb+ZsW8I/apU=
-github.com/AdguardTeam/dnsproxy v0.81.1/go.mod h1:5lTCQqVQ8Kt4KnTOmdV0Ab3k58KZFOazupVfXJezwq8=
+github.com/AdguardTeam/dnsproxy v0.81.2 h1:j1p74pbzyrrE21OL1lmNEWxuhHXNykk+NDH4hgDD9Eg=
+github.com/AdguardTeam/dnsproxy v0.81.2/go.mod h1:5lTCQqVQ8Kt4KnTOmdV0Ab3k58KZFOazupVfXJezwq8=
 github.com/AdguardTeam/golibs v0.35.11 h1:LooiyPNtsfv32reFz4qD8KpWQm9jIFuPwHxHyVgtaRg=
 github.com/AdguardTeam/golibs v0.35.11/go.mod h1:wBe9Vgrcn6M4T7p7z/vnRZANLzVO72myRggnCKBx+sQ=
 github.com/AdguardTeam/urlfilter v0.23.2 h1:EiS/PQZO/X2S6cduFW6BBoRLyjd6SqZj1ZiFbU1KaFE=

internal/dnsforward/config.go

@@ -140,7 +140,8 @@ type Config struct {
 	// requests.
 	AAAADisabled bool `yaml:"aaaa_disabled"`
 
-	// EnableDNSSEC, if true, set AD flag in outcoming DNS request.
+	// EnableDNSSEC defines whether the proxy should set the AD/DO bits in the
+	// upstream requests.
 	EnableDNSSEC bool `yaml:"enable_dnssec"`
 
 	// EDNSClientSubnet is the settings list for EDNS Client Subnet.
@@ -365,7 +366,8 @@ func (s *Server) newProxyConfig(ctx context.Context) (conf *proxy.Config, err er
 		PendingRequests: &proxy.PendingRequestsConfig{
 			Enabled: srvConf.PendingRequestsEnabled,
 		},
-		HTTPConfig: httpConf,
+		HTTPConfig:    httpConf,
+		DNSSECEnabled: srvConf.EnableDNSSEC,
 	}
 
 	if srvConf.EDNSClientSubnet.UseCustom {

internal/dnsforward/dnsforward_internal_test.go

@@ -806,6 +806,7 @@ func TestServerCustomClientUpstream(t *testing.T) {
 		Config: Config{
 			CacheSize:    defaultCacheSize,
 			UpstreamMode: UpstreamModeLoadBalance,
+			EnableDNSSEC: true,
 			EDNSClientSubnet: &EDNSClientSubnet{
 				Enabled: false,
 			},

internal/dnsforward/process.go

@@ -471,8 +471,6 @@ func (s *Server) processUpstream(
 
 	s.setCustomUpstream(ctx, l, pctx, dctx.clientID)
 
-	reqWantsDNSSEC := s.setReqAD(req)
-
 	// Process the request further since it wasn't filtered.
 	prx := s.proxy()
 	if prx == nil {
@@ -488,54 +486,9 @@ func (s *Server) processUpstream(
 	dctx.responseFromUpstream = true
 	dctx.responseAD = pctx.Res.AuthenticatedData
 
-	s.setRespAD(pctx, reqWantsDNSSEC)
-
 	return resultCodeSuccess
 }
 
-// setReqAD changes the request based on the server settings.  wantsDNSSEC is
-// false if the response should be cleared of the AD bit.
-//
-// TODO(a.garipov, e.burkov): This should probably be done in module dnsproxy.
-func (s *Server) setReqAD(req *dns.Msg) (wantsDNSSEC bool) {
-	if !s.conf.EnableDNSSEC {
-		return false
-	}
-
-	origReqAD := req.AuthenticatedData
-	req.AuthenticatedData = true
-
-	// Per [RFC 6840] says, validating resolvers should only set the AD bit when
-	// the response has the AD bit set and the request contained either a set DO
-	// bit or a set AD bit.  So, if neither of these is true, clear the AD bits
-	// in [Server.setRespAD].
-	//
-	// [RFC 6840]: https://datatracker.ietf.org/doc/html/rfc6840#section-5.8
-	return origReqAD || hasDO(req)
-}
-
-// hasDO returns true if msg has EDNS(0) options and the DNSSEC OK flag is set
-// in there.
-//
-// TODO(a.garipov): Move to golibs/dnsmsg when it's there.
-func hasDO(msg *dns.Msg) (do bool) {
-	o := msg.IsEdns0()
-	if o == nil {
-		return false
-	}
-
-	return o.Do()
-}
-
-// setRespAD changes the request and response based on the server settings and
-// the original request data.
-func (s *Server) setRespAD(pctx *proxy.DNSContext, reqWantsDNSSEC bool) {
-	if s.conf.EnableDNSSEC && !reqWantsDNSSEC {
-		pctx.Req.AuthenticatedData = false
-		pctx.Res.AuthenticatedData = false
-	}
-}
-
 // dhcpHostFromRequest returns a hostname from question, if the request is for a
 // DHCP client's hostname when DHCP is enabled, and an empty string otherwise.
 func (s *Server) dhcpHostFromRequest(q *dns.Question) (reqHost string) {

internal/home/config.go

@@ -494,6 +494,7 @@ var config = &configuration{
 			CacheSize:                4 * 1024 * 1024,
 			CacheOptimisticAnswerTTL: timeutil.Duration(30 * time.Second),
 			CacheOptimisticMaxAge:    timeutil.Duration(12 * time.Hour),
+			EnableDNSSEC:             true,
 
 			EDNSClientSubnet: &dnsforward.EDNSClientSubnet{
 				CustomIP:  netip.Addr{},

internal/next/dnssvc/config.go

@@ -52,6 +52,10 @@ type Config struct {
 	// CacheEnabled defines if the response cache should be used.
 	CacheEnabled bool
 
+	// DNSSECEnabled specifies if the proxy should set the DO bits in the
+	// upstream requests.
+	DNSSECEnabled bool
+
 	// RefuseAny, if true, refuses DNS queries with the type ANY.
 	RefuseAny bool
 

internal/next/dnssvc/dnssvc.go

@@ -77,6 +77,7 @@ func New(c *Config) (svc *Service, err error) {
 			CacheSizeBytes: c.CacheSize,
 			CacheEnabled:   c.CacheEnabled,
 			RefuseAny:      c.RefuseAny,
+			DNSSECEnabled:  c.DNSSECEnabled,
 			UseDNS64:       c.UseDNS64,
 		},
 		bootstraps:          c.BootstrapServers,
@@ -109,6 +110,7 @@ func New(c *Config) (svc *Service, err error) {
 		RequestHandler: rlMw.Wrap(proxy.DefaultHandler{}),
 		DNS64Prefs:     svc.proxyConf.DNS64Prefs,
 		CacheEnabled:   svc.proxyConf.CacheEnabled,
+		DNSSECEnabled:  svc.proxyConf.DNSSECEnabled,
 		RefuseAny:      svc.proxyConf.RefuseAny,
 		UseDNS64:       svc.proxyConf.UseDNS64,
 	})

internal/next/websvc/dns.go

@@ -29,6 +29,7 @@ type ReqPatchSettingsDNS struct {
 	Ratelimit jsonpatch.NonRemovable[int] `json:"ratelimit"`
 
 	BootstrapPreferIPv6 jsonpatch.NonRemovable[bool] `json:"bootstrap_prefer_ipv6"`
+	DNSSECEnabled       jsonpatch.NonRemovable[bool] `json:"dnssec"`
 	RefuseAny           jsonpatch.NonRemovable[bool] `json:"refuse_any"`
 	UseDNS64            jsonpatch.NonRemovable[bool] `json:"use_dns64"`
 }
@@ -92,6 +93,7 @@ func (svc *Service) handlePatchSettingsDNS(w http.ResponseWriter, r *http.Reques
 	req.Ratelimit.Set(&newConf.Ratelimit)
 
 	req.BootstrapPreferIPv6.Set(&newConf.BootstrapPreferIPv6)
+	req.DNSSECEnabled.Set(&newConf.DNSSECEnabled)
 	req.RefuseAny.Set(&newConf.RefuseAny)
 	req.UseDNS64.Set(&newConf.UseDNS64)