It is my understanding of the code that ssh(1) no longer supports DNSSEC. I say this because it calls getrrsetbyname(3) to check the secure flag, which calls into the ASR machine. In asr.c, the `pass0' function only parses two options, "tcp" and "ndots:", ignoring "edns0". Indeed, the asr_run(3) man page lists a lack of EDNS0 support as a caveat.
Until EDNS0 is supported, it would be helpful to change the documentation. -Mike Index: lib/libc/net/getrrsetbyname.3 =================================================================== RCS file: /cvs/src/lib/libc/net/getrrsetbyname.3,v retrieving revision 1.19 diff -u -p -u -r1.19 getrrsetbyname.3 --- lib/libc/net/getrrsetbyname.3 23 Aug 2014 07:25:54 -0000 1.19 +++ lib/libc/net/getrrsetbyname.3 31 Oct 2014 02:00:29 -0000 @@ -115,10 +115,11 @@ is a pointer to a created by a call to .Fn getrrsetbyname . .Pp -If the EDNS0 option is activated in -.Xr resolv.conf 5 , +The EDNS0 option in +.Xr resolv.conf 5 +is currently ignored, which means that .Fn getrrsetbyname -will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. +will not request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. .Sh RETURN VALUES .Fn getrrsetbyname returns zero on success, and one of the following error Index: share/man/man5/resolv.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/resolv.conf.5,v retrieving revision 1.45 diff -u -p -u -r1.45 resolv.conf.5 --- share/man/man5/resolv.conf.5 23 Aug 2014 07:25:54 -0000 1.45 +++ share/man/man5/resolv.conf.5 31 Oct 2014 02:00:29 -0000 @@ -281,6 +281,9 @@ particularly if there is a reduced MTU, as is often the case with .Xr pppoe 4 or with tunnels. +.Pp +This option is ignored on +.Ox . .It Cm inet6 Enables support for IPv6-only applications, by setting RES_USE_INET6 in _res.options (see
