The application can't know if AD is trustworthy or not, I think we should do this fully in asr(3). I'll send a diff to tech@ that implements glibc's trust-ad ( https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461 )
On 2021-11-18 08:13 +01, Otto Moerbeek <o...@drijf.net> wrote: > Hi, > > And here a sketch of the AD bit approach, include the asr changes. > Largely untested and lacking docs and the localhost vs non-localhost > distinction. > > -Otto > > Index: include/resolv.h > =================================================================== > RCS file: /cvs/src/include/resolv.h,v > retrieving revision 1.22 > diff -u -p -r1.22 resolv.h > --- include/resolv.h 14 Jan 2019 06:23:06 -0000 1.22 > +++ include/resolv.h 18 Nov 2021 07:12:08 -0000 > @@ -191,6 +191,7 @@ struct __res_state_ext { > /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */ > #define RES_USE_DNSSEC 0x20000000 /* use DNSSEC using OK bit in > OPT */ > #define RES_USE_CD 0x10000000 /* set Checking Disabled flag */ > +#define RES_USE_AD 0x80000000 /* set Authentic Data flag */ > > #define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH) > > Index: lib/libc/asr/res_mkquery.c > =================================================================== > RCS file: /cvs/src/lib/libc/asr/res_mkquery.c,v > retrieving revision 1.13 > diff -u -p -r1.13 res_mkquery.c > --- lib/libc/asr/res_mkquery.c 14 Jan 2019 06:49:42 -0000 1.13 > +++ lib/libc/asr/res_mkquery.c 18 Nov 2021 07:12:08 -0000 > @@ -62,6 +62,8 @@ res_mkquery(int op, const char *dname, i > h.flags |= RD_MASK; > if (ac->ac_options & RES_USE_CD) > h.flags |= CD_MASK; > + if (ac->ac_options & RES_USE_AD) > + h.flags |= AD_MASK; > h.qdcount = 1; > if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > h.arcount = 1; > Index: lib/libc/asr/res_send_async.c > =================================================================== > RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v > retrieving revision 1.39 > diff -u -p -r1.39 res_send_async.c > --- lib/libc/asr/res_send_async.c 28 Sep 2019 11:21:07 -0000 1.39 > +++ lib/libc/asr/res_send_async.c 18 Nov 2021 07:12:08 -0000 > @@ -378,6 +378,8 @@ setup_query(struct asr_query *as, const > h.flags |= RD_MASK; > if (as->as_ctx->ac_options & RES_USE_CD) > h.flags |= CD_MASK; > + if (as->as_ctx->ac_options & RES_USE_AD) > + h.flags |= AD_MASK; > h.qdcount = 1; > if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC)) > h.arcount = 1; > Index: usr.bin/ssh/dns.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/dns.c,v > retrieving revision 1.41 > diff -u -p -r1.41 dns.c > --- usr.bin/ssh/dns.c 19 Jul 2021 03:13:28 -0000 1.41 > +++ usr.bin/ssh/dns.c 18 Nov 2021 07:12:08 -0000 > @@ -29,6 +29,7 @@ > #include <sys/socket.h> > > #include <netdb.h> > +#include <resolv.h> > #include <stdarg.h> > #include <stdio.h> > #include <string.h> > @@ -195,7 +196,7 @@ verify_host_key_dns(const char *hostname > struct sshkey *hostkey, int *flags) > { > u_int counter; > - int result; > + int result, old_options; > struct rrsetinfo *fingerprints = NULL; > > u_int8_t hostkey_algorithm; > @@ -218,8 +219,12 @@ verify_host_key_dns(const char *hostname > return -1; > } > > + old_options = _res.options; > + _res.options |= RES_USE_AD; > result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, > DNS_RDATATYPE_SSHFP, 0, &fingerprints); > + _res.options = old_options; > + > if (result) { > verbose("DNS lookup error: %s", dns_result_totext(result)); > return -1; > -- I'm not entirely sure you are real.