On 2021-11-20 15:01 +01, Jeremie Courreges-Anglas wrote:
> On Sat, Nov 20 2021, Florian Obser wrote:
>> The application can't know if AD is trustworthy or not, I think we
>> should do this fully in asr(3).
>> I'll send a diff to tech@ that implements glibc's trust-ad
>> (
On Sat, Nov 20 2021, Florian Obser wrote:
> The application can't know if AD is trustworthy or not, I think we
> should do this fully in asr(3).
> I'll send a diff to tech@ that implements glibc's trust-ad
> ( https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461 )
So is it time to reconsider this
The application can't know if AD is trustworthy or not, I think we
should do this fully in asr(3).
I'll send a diff to tech@ that implements glibc's trust-ad
( https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461 )
On 2021-11-18 08:13 +01, Otto Moerbeek wrote:
> Hi,
>
> And here a sketch of the
Hi,
And here a sketch of the AD bit approach, include the asr changes.
Largely untested and lacking docs and the localhost vs non-localhost
distinction.
-Otto
Index: include/resolv.h
===
RCS file:
On Thu, Nov 18, 2021 at 07:22:27AM +0100, Otto Moerbeek wrote:
> On Wed, Nov 17, 2021 at 01:05:05PM -0800, tho...@habets.se wrote:
>
> > On Wed, 17 Nov 2021 20:46:46 +, Otto Moerbeek said:
> > > Well, I should have been more clear as well, dig sets both the AD bit
> > > (by default) and the
On Wed, Nov 17, 2021 at 01:05:05PM -0800, tho...@habets.se wrote:
> On Wed, 17 Nov 2021 20:46:46 +, Otto Moerbeek said:
> > Well, I should have been more clear as well, dig sets both the AD bit
> > (by default) and the DO bit (on +dnssec). More clienst do this. This
> > is part of the can of
Only tangential relevant: RFC 6840:
5.7. Setting the AD Bit on Queries
The semantics of the Authentic Data (AD) bit in the query were
previously undefined. Section 4.6 of [RFC4035] instructed resolvers
to always clear the AD bit when composing queries.
This document defines
On Wed, 17 Nov 2021 20:00:21 +, Otto Moerbeek said:
> You seem to be confused about the meaning of the ad bit. It is a bit
> that only has significance on replies, see
> https://datatracker.ietf.org/doc/html/rfc4035#section-4.6
Ah, wireshark calls this bit the "AD bit" when sent by dig, so
OpenSSH calls getrrsetbyname() in dns.c:verify_host_key_dns().
It then checks for RRSET_VALIDATED, which is only set if the DNS response
has the 'ad' attribute set.
getrrsetbyname() in turn uses res_.* to do DNS requests, but doesn't set
RES_USE_DNSSEC when doing so.
Thus the DNS query that goes
