You mean to say
Note that, you can drop "Note that".
I have no idea where this construct came from. Maybe it should be replaced
with "PAY ATTENTION NOW". It is just rude.
Imagine if the cat manual page went like this:
DESCRIPTION
Note that the cat utility reads files sequentially, writing them to the
standard output. Note that The file operands are processed in command-line
order. Note that if file is a single dash (`-') or absent, cat reads from
the standard input.
Florian Obser <flor...@openbsd.org> wrote:
> You could drop "Note that". Either way, OK florian
>
> On 23 November 2021 13:39:51 CET, Jeremie Courreges-Anglas <j...@wxcvbn.org>
> wrote:
> >On Mon, Nov 22 2021, Florian Obser <flor...@openbsd.org> wrote:
> >> On 2021-11-21 22:21 +01, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote:
> >>> On Sun, Nov 21 2021, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote:
> >>>> On Sat, Nov 20 2021, Florian Obser <flor...@openbsd.org> wrote:
> >>>
> >>> [...]
> >>>
> >>>>>> Index: lib/libc/asr/res_mkquery.c
> >>>>>> ===================================================================
> >>>>>> RCS file: /home/cvs/src/lib/libc/asr/res_mkquery.c,v
> >>>>>> retrieving revision 1.13
> >>>>>> diff -u -p -r1.13 res_mkquery.c
> >>>>>> --- lib/libc/asr/res_mkquery.c 14 Jan 2019 06:49:42 -0000 1.13
> >>>>>> +++ lib/libc/asr/res_mkquery.c 20 Nov 2021 14:24:08 -0000
> >>>>>> @@ -62,6 +62,9 @@ res_mkquery(int op, const char *dname, i
> >>>>>> h.flags |= RD_MASK;
> >>>>>> if (ac->ac_options & RES_USE_CD)
> >>>>>> h.flags |= CD_MASK;
> >>>>>> + if ((ac->ac_options & RES_TRUSTAD) &&
> >>>>>> + !(ac->ac_options & RES_USE_DNSSEC))
> >>>>>> + h.flags |= AD_MASK;
> >>>>>
> >>>>> do you remember why you check for !RES_USE_DNSSEC?
> >>>>> I'd like to leave it out.
> >>>>
> >>>> First, here's my understanding of RES_USE_DNSSEC: it's supposed to
> >>>> activate EDNS and set the DO bit. The server is then supposed to reply
> >>>> with AD set only if the data has been validated (with or without
> >>>> DNSSEC), and possibly append add DNSSEC data if available.
> >>>>
> >>>> Since I didn't know the semantics of both setting AD and DO in a query
> >>>> (I would expect such semantics to be sane) I wrote those more
> >>>> conservative checks instead. Does this make sense? If so, maybe
> >>>> a comment would help?
> >>>>
> >>>> /* Set the AD flag unless we already plan to set the DNSSEC DO bit. */
> >>>> if ((ac->ac_options & RES_TRUSTAD) &&
> >>>> !(ac->ac_options & RES_USE_DNSSEC))
> >>>>
> >>>>> In fact I don't think RES_USE_DNSSEC is useful
> >>>>> at all.
> >>>>> If you want to set the DO flag and start DNSSEC from first principles
> >>>>> you are better of talking to the network directly, i.e. rewrite unwind.
> >>>>
> >>>> RES_USE_DNSSEC has been there since some time already and it's used by
> >>>> software in the ports tree, precisely to detect AD=1 - and not so much
> >>>> for the key records I think.
> >>>
> >>> BTW clearing AD might break software that depends on it for stuff like
> >>> DANE. postfix uses RES_USE_DNSSEC for this, but also force-enables
> >>> RES_TRUSTAD if available so it shouldn't be affected (upstream's stance
> >>> is that you should only use a trusted resolver when running postfix).
> >>
> >> Ambitious...
> >>
> >> I actually had considerd to only do automatic trust-ad without any way
> >> for users and programs to change it / expand it to non-localhost.
> >
> >> But then I thought it might be nice in a datacenter setting where you
> >> might trust the path to the resolver.
> >
> >I also think that'trust-ad" is good thing to support.
> >
> >> And then postfix comes along :(
> >
> >If we don't want uptreams to use RES_TRUSTAD and thus force the admin to
> >do a conscious choice, we could hide it as an implementation detail in
> >asr/ or make it a noop (decoupling it from "options trust-ad" and your
> >automatic detection). It would require careful thinking about how
> >people use the API. Personnally I don't feel too strongly about giving
> >people rope...
> >
> >>> On the other hand mail/exim knowlingly doesn't force RES_TRUSTAD.
> >>
> >> I don't think we'll brake anything, at leat it should not stop
> >> progress. DANE verification has to be oportunistic, no? Good luck
> >> sending/receiving mail while requiring that certificates are either
> >> signed by a known CA or TLSA records are published. That will probably
> >> lose you a whole lot of the internet...
> >
> >Some people in the corporate world actually start to require the use of
> >certificates signed by a known CA. I only spotted this twice so far.
> >Regarding DANE and TLSA, one of the goals is to be able to use strong
> >authentication without deferring to commercial CAs. So I'm pretty sure
> >some nerdy admins have started enforcing it where they can, just because
> >they can.
> >
> >>> I don't know of other ports using RES_USE_DNSSEC and caring about the AD
> >>> flag.
> >>>
> >>> The effect of RES_TRUSTAD/trust-ad on RES_USE_DNSSEC ought to be
> >>> documented, but let's do that in another diff: the documentation of the
> >>> latter option is already lacking.
> >
> >Proposal below. Feedback / oks?
> >
> >
> >Index: res_init.3
> >===================================================================
> >RCS file: /home/cvs/src/lib/libc/net/res_init.3,v
> >retrieving revision 1.5
> >diff -u -p -p -u -r1.5 res_init.3
> >--- res_init.3 22 Nov 2021 20:18:27 -0000 1.5
> >+++ res_init.3 23 Nov 2021 12:25:01 -0000
> >@@ -218,6 +218,19 @@ uses 4096 bytes as input buffer size.
> > Request that the resolver uses
> > Domain Name System Security Extensions (DNSSEC),
> > as defined in RFCs 4033, 4034, and 4035.
> >+The resolver routines will use the EDNS0 extension and set the DNSSEC DO
> >+flag in queries, asking the name server to signal validated records by
> >+setting the AD flag in the reply and to attach additional DNSSEC
> >+records.
> >+Note that the resolver routines will clear the AD flag in replies unless
> >+the name servers are considered trusted.
> >+Also, client applications are often only interested in the value of the
> >+AD flag, making the additional DNSSEC records a waste of network
> >+bandwidth.
> >+See the description for
> >+.Dq options trust-ad
> >+in
> >+.Xr resolv.conf 5 .
> > .It Dv RES_USE_CD
> > Set the Checking Disabled flag on queries.
> > .El
> >
>
> --
> Sent from a mobile device. Please excuse poor formatting.
>
