)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"aaee83aa64d9c68aa269ef93daf1b6cf21f57830","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"7f4e2d4e_88081879","updated":"2026-04-28 16:04:17.000000000","message":"I\u0027m assuming that enabling DNSSecEnabled makes it optional, setting DNSSecValidationRequired makes it required.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"}],"include/openvpn-msg.h":[{"author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"change_message_id":"3930d0b34f84b5f9da8adb830a857e9447b0f890","unresolved":true,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"50d1fe53_70ec2803","line":114,"updated":"2026-04-29 12:42:36.000000000","message":"Is this really needed? As far as I can remember Windows has no `optional` setting, i.e. always validates.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"a55d6746de8f14531480026b6f563d04bb12c2d1","unresolved":false,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"ab4a60cb_6dad4a8a","line":114,"in_reply_to":"1e00a0b2_cb21ee82","updated":"2026-04-29 23:01:11.000000000","message":"See http://gerrit.openvpn.net/c/openvpn/+/1644","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"5d463b78a8181f4e1dc19a8e8a26ede37d1c3f58","unresolved":true,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"d51f138a_6bc6d024","line":114,"in_reply_to":"50d1fe53_70ec2803","updated":"2026-04-29 13:01:50.000000000","message":"man-page  says user can set  optional, and I had no idea how to provide that rather than this. What this does is for the resolver to set DO flag but not require validation. Treating anything other than \"no\" as \"yes\" is not correct when we allo user to set yes/no/optional.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"4b115852876a621330560ad7ec38ae66f27127ea","unresolved":true,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"a0719312_f7f3e02b","line":114,"in_reply_to":"9cac179c_8ab54db3","updated":"2026-04-29 16:27:25.000000000","message":"NRPT seems to have two separate settings `DnsSecEnabled` and `DnsSecValidationRequired`. If optional maps well to `DnsSecEnabled\u003dTrue`/`DnsSecValidationRequired\u003dFalse` we could use it. I assume that is what your patch is currently doing? OTOH given that the broken version is already out there maybe we should go for the minimal patch first? I.e. keep the existing boolean and just enable it for DNS_SECURITY_YES and nothing else. And then we can discuss a followup patch that would support \"optional\".","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"7d4c4fae4f30aabc202bdb6a2a37c4e58c549789","unresolved":true,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"1e00a0b2_cb21ee82","line":114,"in_reply_to":"a0719312_f7f3e02b","updated":"2026-04-29 20:52:34.000000000","message":"Correct.. I interpret DNSSecEnabled to mean optional as that causes the resolver to set DO flag in queries but not enforce validation. But unsure what use is that. Its not true \"opportunistic\" DNSSEC if that\u0027s what optional means.\n\nA minimal patch that ignores documentation mismatches, and other niceties should be possible. Let me see..","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"cf6ae6fa0d7688afce272dab581e49e0ea54fad3","unresolved":true,"context_lines":[{"line_number":111,"context_line":"typedef enum"},{"line_number":112,"context_line":"{"},{"line_number":113,"context_line":"    nrpt_dnssec_enabled \u003d 1 \u003c\u003c 0,"},{"line_number":114,"context_line":"    nrpt_dnssec_required \u003d 1 \u003c\u003c 1,"},{"line_number":115,"context_line":"} nrpt_flags_t;"},{"line_number":116,"context_line":""},{"line_number":117,"context_line":"#define NRPT_ADDR_NUM  8  /* Max. number of addresses */"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"9cac179c_8ab54db3","line":114,"in_reply_to":"d51f138a_6bc6d024","updated":"2026-04-29 15:30:32.000000000","message":"Shall we treat \"optional\" as \"no\" on Windows and document that?","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"63916aad30d2694f7556605599febaa87db4eef8","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"2732d191_3b3afe95","line":127,"updated":"2026-04-29 12:38:53.000000000","message":"The enum type is now really not appropriate anymore. We might set the flags value to a value that is not a valid value of the enum. So I think we should just get rid of the enum type?","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"1aabf300ebc9a211b7f65cfa4d670a0d27d2d431","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"b6e006cc_47bdfb38","line":127,"in_reply_to":"2732d191_3b3afe95","updated":"2026-04-29 12:55:14.000000000","message":"We have always wanted to keep openvpn-msg.h as a standalone header that third part programs may want to use, so we need to define the flag type in there right? May be we could get rid of th one in dns.h and use the flags directly to set server-\u003ednssec, but not sure how clean that would be. Also, in future dns flags may learn new bit fields that are unrelated to dnssec.\nValid value for message flags is what openvpn-msg.h says, and using that correctly is not that onerous a requirement, is it?\nUnless I misunderstood the comment.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"4b115852876a621330560ad7ec38ae66f27127ea","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"e5891691_5e2d0dde","line":127,"in_reply_to":"85c58c8d_81efd006","updated":"2026-04-29 16:27:25.000000000","message":"I don\u0027t see how you can get all of that.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"cf6ae6fa0d7688afce272dab581e49e0ea54fad3","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"e2022f21_8cd8e2bf","line":127,"in_reply_to":"8ee219d8_22c9eccb","updated":"2026-04-29 15:30:32.000000000","message":"Aha, now I get it :)\nAgreed, better to make flags an int. That would need to define DNS_SECURITY_NO, _OPTIONAL, _YES as 0, 1\u003c\u003c0, 1\u003c\u003c1, and move those to openvpn-msg.h as well?","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"0c41d7751d63261fee2f584084d436e911ba7a93","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"8ee219d8_22c9eccb","line":127,"in_reply_to":"b6e006cc_47bdfb38","updated":"2026-04-29 15:01:31.000000000","message":"I was questioning whether it is clean to set a variable of an enum type to a value that is not a named constant in that type. E.g. the new code might set flags to \"3\", but that is not a named value in nrpt_flags_t. Not sure whether there are compilers that complain about that. Still feels unclean.","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"b43bcca67bce98ba0d4202a9cafad067434f1375","unresolved":true,"context_lines":[{"line_number":124,"context_line":"    nrpt_address_t addresses[NRPT_ADDR_NUM];"},{"line_number":125,"context_line":"    char resolve_domains[512]; /* double \\0 terminated */"},{"line_number":126,"context_line":"    char search_domains[512];"},{"line_number":127,"context_line":"    nrpt_flags_t flags;"},{"line_number":128,"context_line":"} nrpt_dns_cfg_message_t;"},{"line_number":129,"context_line":""},{"line_number":130,"context_line":"typedef struct"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"85c58c8d_81efd006","line":127,"in_reply_to":"e2022f21_8cd8e2bf","updated":"2026-04-29 15:37:01.000000000","message":"We cant move those defines to openvpn-msg.h as we need them on non-windows as well. How to keep the values in sync and have allowed bit fields of flags documented in openvpn-msg.h?","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"}],"src/openvpn/dns.h":[{"author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"change_message_id":"3930d0b34f84b5f9da8adb830a857e9447b0f890","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"enum dns_security"},{"line_number":31,"context_line":"{"},{"line_number":32,"context_line":"    DNS_SECURITY_UNSET,"},{"line_number":33,"context_line":"    DNS_SECURITY_NO,"},{"line_number":34,"context_line":"    DNS_SECURITY_YES,"},{"line_number":35,"context_line":"    DNS_SECURITY_OPTIONAL"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"a25c8f87_72ceb6a7","side":"PARENT","line":32,"updated":"2026-04-29 12:42:36.000000000","message":"Not sure if we should get rid of `unset` since might not have a `optional` setting. In that case we need to fall back to something different when the value is unset, like `no`.","commit_id":"b2e3e0f0cf21a712b96efb8c053b740ca1947f54"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"e7bc4adf423928a507932ac1c8370fe18a5b4694","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"enum dns_security"},{"line_number":31,"context_line":"{"},{"line_number":32,"context_line":"    DNS_SECURITY_UNSET,"},{"line_number":33,"context_line":"    DNS_SECURITY_NO,"},{"line_number":34,"context_line":"    DNS_SECURITY_YES,"},{"line_number":35,"context_line":"    DNS_SECURITY_OPTIONAL"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"cfa08e49_08aa2a52","side":"PARENT","line":32,"in_reply_to":"5873967f_9eb03412","updated":"2026-04-30 12:07:48.000000000","message":"\"UNSET is not handled anywhere.\" I looked into that and this is not true. We never use `DNS_SECURITY_UNSET` explicitly in the code. But a lot of the DNS options code does things like `if (s-\u003ednssec)` so we have actually a lot of implicit checks for it. E.g. when running the dns script we put nothing in the environment when it is UNSET, and only put \"yes\", \"no\", \"optional\" if explicitly set.","commit_id":"b2e3e0f0cf21a712b96efb8c053b740ca1947f54"},{"author":{"_account_id":1000001,"name":"flichtenheld","display_name":"Frank Lichtenheld","email":"frank@lichtenheld.com","username":"flichtenheld","status":"OpenVPN Inc."},"change_message_id":"42aead777d36a932cbe2959fd4b2913bb34d03ed","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"enum dns_security"},{"line_number":31,"context_line":"{"},{"line_number":32,"context_line":"    DNS_SECURITY_UNSET,"},{"line_number":33,"context_line":"    DNS_SECURITY_NO,"},{"line_number":34,"context_line":"    DNS_SECURITY_YES,"},{"line_number":35,"context_line":"    DNS_SECURITY_OPTIONAL"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"41584b3e_2dda66f8","side":"PARENT","line":32,"in_reply_to":"7125ebe8_1117383f","updated":"2026-04-30 13:23:12.000000000","message":"I would say so. If someone actually asks for DNS_SECURITY_OPTIONAL support on Windows, we could certainly look into it, but it feels like not worth the additional complexity to me at this point.","commit_id":"b2e3e0f0cf21a712b96efb8c053b740ca1947f54"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"5d463b78a8181f4e1dc19a8e8a26ede37d1c3f58","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"enum dns_security"},{"line_number":31,"context_line":"{"},{"line_number":32,"context_line":"    DNS_SECURITY_UNSET,"},{"line_number":33,"context_line":"    DNS_SECURITY_NO,"},{"line_number":34,"context_line":"    DNS_SECURITY_YES,"},{"line_number":35,"context_line":"    DNS_SECURITY_OPTIONAL"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"5873967f_9eb03412","side":"PARENT","line":32,"in_reply_to":"a25c8f87_72ceb6a7","updated":"2026-04-29 13:01:50.000000000","message":"As \"dns server n dnssec foo\" is not a mandatory option, UNSET is useless and error-prone. Just decide on a defualt value and let the variable have that by default. UNSET is not handled anywhere.","commit_id":"b2e3e0f0cf21a712b96efb8c053b740ca1947f54"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"6a322048477ca6ec1825466c64c8cb3a9ee3086b","unresolved":true,"context_lines":[{"line_number":29,"context_line":""},{"line_number":30,"context_line":"enum dns_security"},{"line_number":31,"context_line":"{"},{"line_number":32,"context_line":"    DNS_SECURITY_UNSET,"},{"line_number":33,"context_line":"    DNS_SECURITY_NO,"},{"line_number":34,"context_line":"    DNS_SECURITY_YES,"},{"line_number":35,"context_line":"    DNS_SECURITY_OPTIONAL"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"7125ebe8_1117383f","side":"PARENT","line":32,"in_reply_to":"cfa08e49_08aa2a52","updated":"2026-04-30 13:14:08.000000000","message":"Well, in that case, UNSET stays, and with the immediate fix in, nothing in this patch may be abandoned isn\u0027t it?","commit_id":"b2e3e0f0cf21a712b96efb8c053b740ca1947f54"}],"src/openvpnserv/interactive.c":[{"author":{"_account_id":1000006,"name":"d12fk","display_name":"Heiko Hund","email":"heiko@openvpn.net","username":"d12fk"},"change_message_id":"3930d0b34f84b5f9da8adb830a857e9447b0f890","unresolved":true,"context_lines":[{"line_number":2469,"context_line":" */"},{"line_number":2470,"context_line":"static DWORD"},{"line_number":2471,"context_line":"SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, PCWSTR domains, DWORD dom_size,"},{"line_number":2472,"context_line":"            nrpt_flags_t dnssec)"},{"line_number":2473,"context_line":"{"},{"line_number":2474,"context_line":"    /* Create rule subkey */"},{"line_number":2475,"context_line":"    DWORD err \u003d NO_ERROR;"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"15034e37_b0b146a1","line":2472,"updated":"2026-04-29 12:42:36.000000000","message":"Think it makes sense to rename `dnssec` -\u003e `flags` or `nrpt_flags`, since it could have additional things in the future potentially","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"},{"author":{"_account_id":1000009,"name":"selvanair","display_name":"Selva Nair","email":"selva.nair@gmail.com","username":"selvanair"},"change_message_id":"5d463b78a8181f4e1dc19a8e8a26ede37d1c3f58","unresolved":false,"context_lines":[{"line_number":2469,"context_line":" */"},{"line_number":2470,"context_line":"static DWORD"},{"line_number":2471,"context_line":"SetNrptRule(HKEY nrpt_key, PCWSTR subkey, PCSTR address, PCWSTR domains, DWORD dom_size,"},{"line_number":2472,"context_line":"            nrpt_flags_t dnssec)"},{"line_number":2473,"context_line":"{"},{"line_number":2474,"context_line":"    /* Create rule subkey */"},{"line_number":2475,"context_line":"    DWORD err \u003d NO_ERROR;"}],"source_content_type":"text/x-csrc","patch_set":1,"id":"95f23091_fe96ccc6","line":2472,"in_reply_to":"15034e37_b0b146a1","updated":"2026-04-29 13:01:50.000000000","message":"Acknowledged","commit_id":"02213a0355e11206299920c7c2a22359dfd9bb25"}]}