Viktor Dukhovni <[email protected]> wrote: > > It is in fact problematic if both 127.0.0.1 and another nameserver > are listed. The correct semantics of that are hard to define. It > makes more sense to define a boolean primitive that marks all the > nameservers collectively as either trusted or not.
Yes. > The RES_USE_DNSSEC flag turns on the "DO" bit. I would be surprised > if RES_USE_EDNS0 enabled "DO". Er yes, you are right. I was confused by the way ssh uses the resolver: it sets RES_USE_DNSSEC only if RES_USE_EDNS0 is set, so putting "options edns0" in /etc/resolv.conf turns on ssh's trust-AD behaviour. There is not a separate resolv.conf option for DNSSEC. Grotty. (Note that when I make statements about resolver behaviour I am checking boh FreeBSD and glibc - they are pretty consistent in all this.) > As for setting the "AD" bit in the request automatically, it probably > should still require an explicit indication of interest from the > application or be set via a default option value /etc/resolv.conf. Perhaps, though I think the AD flag is pretty benign. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty, Forth, Tyne, Dogger: Southwest 5 to 7, backing south or southeast 6 to gale 8 for a time. Moderate or rough. Showers then rain. Good, becoming moderate or poor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
