On Mon, Feb 27, 2017 at 12:35:33AM +0100, Jeremie Courreges-Anglas wrote: > Setting the AD flag for a query is possible, however those semantics are > newer than the EDNS0 extension. As far as I know, rfc6840 introduced > AD=1 for queries in 2013, whereas rfc3225 specifies the DO flag since > 2001. > > https://tools.ietf.org/html/rfc3225 > https://tools.ietf.org/html/rfc6840#section-5.7 > > Also EDNS0 can give you more than 512 bytes on UDP (if the resolver > supports it). So I thought I'd rather implement RES_USE_DNSSEC on top > of EDNS0. > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Jeremie & tech@, Thanks for considering my patch. OpenBSD tremendously improves with this work of yours, I'm all for it! However to make use of this DNSSEC mode, the channel to the recursive DNS server has to be absolutely secure (for DO or AD in a response). My looming question that noone wants to ask because it's a bit (a lot) of work for the programmer(s) is: can we work toward the goal of a validating dnssec resolver? (I know it's a lot of work, we'd need a group and an architect perhaps, ultimately the RFC's are the guideline) Luckily I'm between projects outside of my main job and I think I can contribute a little. Is any (DNS) security programmers interested in this? I can come to Paris for EuroBSDCon to get together for this matter, but I'd want to get started earlier if we form a small group for that matter. Regards, -peter
