The application can't know if AD is trustworthy or not, I think we
should do this fully in asr(3).
I'll send a diff to tech@ that implements glibc's trust-ad
( https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461 )
On 2021-11-18 08:13 +01, Otto Moerbeek <o...@drijf.net> wrote:
> Hi,
>
> And here a sketch of the AD bit approach, include the asr changes.
> Largely untested and lacking docs and the localhost vs non-localhost
> distinction.
>
> -Otto
>
> Index: include/resolv.h
> ===================================================================
> RCS file: /cvs/src/include/resolv.h,v
> retrieving revision 1.22
> diff -u -p -r1.22 resolv.h
> --- include/resolv.h 14 Jan 2019 06:23:06 -0000 1.22
> +++ include/resolv.h 18 Nov 2021 07:12:08 -0000
> @@ -191,6 +191,7 @@ struct __res_state_ext {
> /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
> #define RES_USE_DNSSEC 0x20000000 /* use DNSSEC using OK bit in
> OPT */
> #define RES_USE_CD 0x10000000 /* set Checking Disabled flag */
> +#define RES_USE_AD 0x80000000 /* set Authentic Data flag */
>
> #define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH)
>
> Index: lib/libc/asr/res_mkquery.c
> ===================================================================
> RCS file: /cvs/src/lib/libc/asr/res_mkquery.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 res_mkquery.c
> --- lib/libc/asr/res_mkquery.c 14 Jan 2019 06:49:42 -0000 1.13
> +++ lib/libc/asr/res_mkquery.c 18 Nov 2021 07:12:08 -0000
> @@ -62,6 +62,8 @@ res_mkquery(int op, const char *dname, i
> h.flags |= RD_MASK;
> if (ac->ac_options & RES_USE_CD)
> h.flags |= CD_MASK;
> + if (ac->ac_options & RES_USE_AD)
> + h.flags |= AD_MASK;
> h.qdcount = 1;
> if (ac->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
> h.arcount = 1;
> Index: lib/libc/asr/res_send_async.c
> ===================================================================
> RCS file: /cvs/src/lib/libc/asr/res_send_async.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 res_send_async.c
> --- lib/libc/asr/res_send_async.c 28 Sep 2019 11:21:07 -0000 1.39
> +++ lib/libc/asr/res_send_async.c 18 Nov 2021 07:12:08 -0000
> @@ -378,6 +378,8 @@ setup_query(struct asr_query *as, const
> h.flags |= RD_MASK;
> if (as->as_ctx->ac_options & RES_USE_CD)
> h.flags |= CD_MASK;
> + if (as->as_ctx->ac_options & RES_USE_AD)
> + h.flags |= AD_MASK;
> h.qdcount = 1;
> if (as->as_ctx->ac_options & (RES_USE_EDNS0 | RES_USE_DNSSEC))
> h.arcount = 1;
> Index: usr.bin/ssh/dns.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/dns.c,v
> retrieving revision 1.41
> diff -u -p -r1.41 dns.c
> --- usr.bin/ssh/dns.c 19 Jul 2021 03:13:28 -0000 1.41
> +++ usr.bin/ssh/dns.c 18 Nov 2021 07:12:08 -0000
> @@ -29,6 +29,7 @@
> #include <sys/socket.h>
>
> #include <netdb.h>
> +#include <resolv.h>
> #include <stdarg.h>
> #include <stdio.h>
> #include <string.h>
> @@ -195,7 +196,7 @@ verify_host_key_dns(const char *hostname
> struct sshkey *hostkey, int *flags)
> {
> u_int counter;
> - int result;
> + int result, old_options;
> struct rrsetinfo *fingerprints = NULL;
>
> u_int8_t hostkey_algorithm;
> @@ -218,8 +219,12 @@ verify_host_key_dns(const char *hostname
> return -1;
> }
>
> + old_options = _res.options;
> + _res.options |= RES_USE_AD;
> result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
> DNS_RDATATYPE_SSHFP, 0, &fingerprints);
> + _res.options = old_options;
> +
> if (result) {
> verbose("DNS lookup error: %s", dns_result_totext(result));
> return -1;
>
--
I'm not entirely sure you are real.
