- Set default for harden-unknown-additional to no. So that it does

not hamper future protocol developments.
2025-12-20 14:53:15 -05:00 · 2023-01-19 15:45:10 +01:00 · 2023-01-19 15:45:10 +01:00 · c9233f8429
commit c9233f8429
parent 8df1e58209
4 changed files with 8 additions and 5 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -5,9 +5,11 @@
 	  resolvers. The new choice, down from 4096 means it is harder to get
 	  large responses from Unbound. Thanks to Xiang Li, from NISL Lab,
 	  Tsinghua University.
-	- Add harden-unknown-additional option. Default on and it removes
+	- Add harden-unknown-additional option. It removes
 	  unknown records from the authority section and additional section.
 	  Thanks to Xiang Li, from NISL Lab, Tsinghua University.
+	- Set default for harden-unknown-additional to no. So that it does
+	  not hamper future protocol developments.

 18 January 2023: Wouter
 	- Fix not following cleared RD flags potentially enables amplification
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -505,7 +505,7 @@ server:

 	# Harden against unknown records in the authority section and the
 	# additional section.
-	# harden-unknown-additional: yes
+	# harden-unknown-additional: no

 	# Sent minimum amount of information to upstream servers to enhance
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -1022,8 +1022,9 @@ this option off avoids that validation failure.
 .TP
 .B harden\-unknown\-additional: \fI<yes or no>
 Harden against unknown records in the authority section and additional
-section. Default is yes. If no, such records are copied from the upstream
-and presented to the client together with the answer.
+section. Default is no. If no, such records are copied from the upstream
+and presented to the client together with the answer. If yes, it could
+hamper future protocol developments that want to add records.
 .TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20\-encoded random bits in the query to foil spoof attempts.
--- a/util/config_file.c
+++ b/util/config_file.c
@ -233,7 +233,7 @@ config_create(void)
 	cfg->harden_below_nxdomain = 1;
 	cfg->harden_referral_path = 0;
 	cfg->harden_algo_downgrade = 0;
-	cfg->harden_unknown_additional = 1;
+	cfg->harden_unknown_additional = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->caps_whitelist = NULL;
 	cfg->private_address = NULL;