On Fri, Oct 31, 2014 at 03:03:11AM +0100, Mike Burns wrote: > It is my understanding of the code that ssh(1) no longer supports > DNSSEC. I say this because it calls getrrsetbyname(3) to check the > secure flag, which calls into the ASR machine. In asr.c, the `pass0' > function only parses two options, "tcp" and "ndots:", ignoring "edns0". > Indeed, the asr_run(3) man page lists a lack of EDNS0 support as a > caveat. > > Until EDNS0 is supported, it would be helpful to change the documentation. > > -Mike >
hi. some developers confirmed this, so i've fixed the docs. my change (below) is a bit different to yours though - for getrrset i just commented out the text. it seemed odd to explicitly say what it doesn;t do. and for resolv.conf i used a text already used by another option, and commented out some of the more verbose notes on edns0, to improve readability. hope that suits! and thanks for the mail, jmc Index: lib/libc/net/getrrsetbyname.3 =================================================================== RCS file: /cvs/src/lib/libc/net/getrrsetbyname.3,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- lib/libc/net/getrrsetbyname.3 23 Aug 2014 07:25:54 -0000 1.19 +++ lib/libc/net/getrrsetbyname.3 5 Nov 2014 15:12:23 -0000 1.20 @@ -1,4 +1,4 @@ -.\" $OpenBSD: getrrsetbyname.3,v 1.19 2014/08/23 07:25:54 jmc Exp $ +.\" $OpenBSD: getrrsetbyname.3,v 1.20 2014/11/05 15:12:23 jmc Exp $ .\" .\" Copyright (C) 2000, 2001 Internet Software Consortium. .\" @@ -15,7 +15,7 @@ .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 23 2014 $ +.Dd $Mdocdate: November 5 2014 $ .Dt GETRRSETBYNAME 3 .Os .Sh NAME @@ -114,11 +114,11 @@ .Li struct rrsetinfo created by a call to .Fn getrrsetbyname . -.Pp -If the EDNS0 option is activated in -.Xr resolv.conf 5 , -.Fn getrrsetbyname -will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. +.\" .Pp +.\" If the EDNS0 option is activated in +.\" .Xr resolv.conf 5 , +.\" .Fn getrrsetbyname +.\" will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit. .Sh RETURN VALUES .Fn getrrsetbyname returns zero on success, and one of the following error Index: share/man/man5/resolv.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/resolv.conf.5,v retrieving revision 1.45 retrieving revision 1.46 diff -u -r1.45 -r1.46 --- share/man/man5/resolv.conf.5 23 Aug 2014 07:25:54 -0000 1.45 +++ share/man/man5/resolv.conf.5 5 Nov 2014 15:12:23 -0000 1.46 @@ -1,4 +1,4 @@ -.\" $OpenBSD: resolv.conf.5,v 1.45 2014/08/23 07:25:54 jmc Exp $ +.\" $OpenBSD: resolv.conf.5,v 1.46 2014/11/05 15:12:23 jmc Exp $ .\" $NetBSD: resolv.conf.5,v 1.7 1996/03/06 18:22:16 scottr Exp $ .\" .\" Copyright (c) 1986, 1991 The Regents of the University of California. @@ -30,7 +30,7 @@ .\" .\" @(#)resolver.5 5.12 (Berkeley) 5/10/91 .\" -.Dd $Mdocdate: August 23 2014 $ +.Dd $Mdocdate: November 5 2014 $ .Dt RESOLV.CONF 5 .Os .Sh NAME @@ -266,21 +266,24 @@ so the option must be used only when all the servers listed in .Cm nameserver lines are able to handle the extension. -.Pp -To verify whether a server supports EDNS, -query it using the -.Xr dig 1 -query option -.Li +edns=0 : -the reply indicates compliance (EDNS version 0) -and whether a UDP packet larger than 512 bytes can be used. -Note that EDNS0 can cause the server to send packets -large enough to require fragmentation. -Other factors such as packet filters may impede these, -particularly if there is a reduced MTU, -as is often the case with -.Xr pppoe 4 -or with tunnels. +By default on +.Ox +this option does nothing. +.\" .Pp +.\" To verify whether a server supports EDNS, +.\" query it using the +.\" .Xr dig 1 +.\" query option +.\" .Li +edns=0 : +.\" the reply indicates compliance (EDNS version 0) +.\" and whether a UDP packet larger than 512 bytes can be used. +.\" Note that EDNS0 can cause the server to send packets +.\" large enough to require fragmentation. +.\" Other factors such as packet filters may impede these, +.\" particularly if there is a reduced MTU, +.\" as is often the case with +.\" .Xr pppoe 4 +.\" or with tunnels. .It Cm inet6 Enables support for IPv6-only applications, by setting RES_USE_INET6 in _res.options (see
