On Sun, Nov 21 2021, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote: > On Sat, Nov 20 2021, Florian Obser <flor...@openbsd.org> wrote:
[...] >>> Index: lib/libc/asr/res_mkquery.c >>> =================================================================== >>> RCS file: /home/cvs/src/lib/libc/asr/res_mkquery.c,v >>> retrieving revision 1.13 >>> diff -u -p -r1.13 res_mkquery.c >>> --- lib/libc/asr/res_mkquery.c 14 Jan 2019 06:49:42 -0000 1.13 >>> +++ lib/libc/asr/res_mkquery.c 20 Nov 2021 14:24:08 -0000 >>> @@ -62,6 +62,9 @@ res_mkquery(int op, const char *dname, i >>> h.flags |= RD_MASK; >>> if (ac->ac_options & RES_USE_CD) >>> h.flags |= CD_MASK; >>> + if ((ac->ac_options & RES_TRUSTAD) && >>> + !(ac->ac_options & RES_USE_DNSSEC)) >>> + h.flags |= AD_MASK; >> >> do you remember why you check for !RES_USE_DNSSEC? >> I'd like to leave it out. > > First, here's my understanding of RES_USE_DNSSEC: it's supposed to > activate EDNS and set the DO bit. The server is then supposed to reply > with AD set only if the data has been validated (with or without > DNSSEC), and possibly append add DNSSEC data if available. > > Since I didn't know the semantics of both setting AD and DO in a query > (I would expect such semantics to be sane) I wrote those more > conservative checks instead. Does this make sense? If so, maybe > a comment would help? > > /* Set the AD flag unless we already plan to set the DNSSEC DO bit. */ > if ((ac->ac_options & RES_TRUSTAD) && > !(ac->ac_options & RES_USE_DNSSEC)) > >> In fact I don't think RES_USE_DNSSEC is useful >> at all. >> If you want to set the DO flag and start DNSSEC from first principles >> you are better of talking to the network directly, i.e. rewrite unwind. > > RES_USE_DNSSEC has been there since some time already and it's used by > software in the ports tree, precisely to detect AD=1 - and not so much > for the key records I think. BTW clearing AD might break software that depends on it for stuff like DANE. postfix uses RES_USE_DNSSEC for this, but also force-enables RES_TRUSTAD if available so it shouldn't be affected (upstream's stance is that you should only use a trusted resolver when running postfix). On the other hand mail/exim knowlingly doesn't force RES_TRUSTAD. I don't know of other ports using RES_USE_DNSSEC and caring about the AD flag. The effect of RES_TRUSTAD/trust-ad on RES_USE_DNSSEC ought to be documented, but let's do that in another diff: the documentation of the latter option is already lacking. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE