On 2021-11-20 14:40 +01, Otto Moerbeek <o...@drijf.net> wrote: > On Sat, Nov 20, 2021 at 12:20:32PM +0100, Florian Obser wrote: >> diff --git share/man/man5/resolv.conf.5 share/man/man5/resolv.conf.5 >> index 8d3b91c0832..ac64d3e6fd6 100644 >> --- share/man/man5/resolv.conf.5 >> +++ share/man/man5/resolv.conf.5 >> @@ -259,6 +259,12 @@ first as an absolute name before any search list >> elements are appended to it. >> .It Cm tcp >> Forces the use of TCP for queries. >> Normal behaviour is to query via UDP but fall back to TCP on failure. >> +.It Cm trust-ad >> +Request DNSSEC validated data from the nameservers and preserve the >> +Authentic Data (AD) flag in responses. > >> +Otherwise the Authentic Data (AD) flag is removed from responses. > > This is not what happens (though the DNS header itself is not exposed > in the API). Maybe describe it as: >
That is a very good point. And hints at that the diff is not complete. I think we should fiddle with the header. I think res_send_async_run() should unset the AD flag in ASR_STATE_PACKET. The api exposes the raw packet in the res_query(3) family of functions. And this is actually what glibc does. > Request DNSSEC validated data from the nameservers and evaluate the AD > flag in responses. > >> +The nameservers and the network path to them must be trusted. > > Maybe: > > Only set this flag if the nameservers and the network paths to them are > trusted. > I wanted to focus less on the technical details (AD flag) and more on what this means. Of course I failed at that ;) I think we should mention the AD flag so that people who know how DNSSEC works can find it, but we need to better explain when random user should set the flag (never!). I'll rework the diff. >> +This is the default for nameservers on localhost. >> .El >> .El >> .Pp >> >> -- >> I'm not entirely sure you are real. >> > -- I'm not entirely sure you are real.
