feat: enable DNSSEC validation by default

With recursive as the default mode, DNSSEC validation completes the trustless resolution chain. Strict mode remains off by default. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-01 06:07:40 +03:00
parent e608e12000
commit 5626da097d
1 changed files with 15 additions and 2 deletions
--- a/src/config.rs
+++ b/src/config.rs
@@ -114,6 +114,10 @@ impl Default for UpstreamConfig {
    }
 }

+fn default_true() -> bool {
+    true
+}
+
 fn default_srtt() -> bool {
    true
 }
@@ -356,14 +360,23 @@ fn default_lan_peer_timeout() -> u64 {
    90
 }

-#[derive(Deserialize, Clone, Default)]
+#[derive(Deserialize, Clone)]
 pub struct DnssecConfig {
-    #[serde(default)]
+    #[serde(default = "default_true")]
    pub enabled: bool,
    #[serde(default)]
    pub strict: bool,
 }

+impl Default for DnssecConfig {
+    fn default() -> Self {
+        DnssecConfig {
+            enabled: true,
+            strict: false,
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;