On Sun, Jul 26 2020, Jesper Wallin <[email protected]> wrote: > On Sat, Jul 25, 2020 at 02:01:06PM +0200, Jeremie Courreges-Anglas wrote: >> >> For those two reasons I think the feature should be opt-in. > > Yeah, I agree with you. My first approach was to have it check what > kind of DNS record that was requested, and add the AD-flag only if type > was SSHFP, but that felt even uglier. I also wasn't so sure my approach > was the right one after reading the RFCs Peter J. Philipp mentioned.
The quote from RFC6840 seems clear to me, care to share why you had some doubts if they still exist? > Perhaps another approach would be to make use of the currently unused > flags argument in getrrsetbyname(3)? This way, only getrrsetbyname(3) > and certain requests are affected by it. I thought about that too, but getrrsetbyname(3) isn't the only function of interest. There's also res_query(3) and friends, which are in more widely use in the larger ecosystem. I guess we could restrict AD flag tweaking to APIs where the caller can actually access the AD flag in the response, but the "default vs opt-in" question is still present. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
