"Peter J. Philipp" <p...@centroid.eu> writes: > On Mon, Feb 27, 2017 at 12:35:33AM +0100, Jeremie Courreges-Anglas wrote: >> Setting the AD flag for a query is possible, however those semantics are >> newer than the EDNS0 extension. As far as I know, rfc6840 introduced >> AD=1 for queries in 2013, whereas rfc3225 specifies the DO flag since >> 2001. >> >> https://tools.ietf.org/html/rfc3225 >> https://tools.ietf.org/html/rfc6840#section-5.7 >> >> Also EDNS0 can give you more than 512 bytes on UDP (if the resolver >> supports it). So I thought I'd rather implement RES_USE_DNSSEC on top >> of EDNS0. >> >> -- >> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE > > Jeremie & tech@, > > Thanks for considering my patch. OpenBSD tremendously improves with this > work of yours, I'm all for it! However to make use of this DNSSEC mode, > the channel to the recursive DNS server has to be absolutely secure (for DO > or AD in a response).
Yes, the assumption is that the resolver listed in /etc/resolv.conf is trusted, including the network in between. The easiest method is to run unbound on 127.0.0.1 with "auto-trust-anchor-file". > My looming question that noone wants to ask because it's a bit (a lot) > of work for the programmer(s) is: can we work toward the goal of a validating > dnssec resolver? Please clarify: do you mean "stub resolver" here, ie the code that runs in libc? -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE