Describe what RES_USE_DNSSEC does and how it's affected by trust-ad

ok florian@

1 files changed, 15 insertions, 2 deletions

diff --git a/src/lib/libc/net/res_init.3 b/src/lib/libc/net/res_init.3
index 03e6fca747..3e0cabc358 100644
--- a/src/lib/libc/net/res_init.3
+++ b/src/lib/libc/net/res_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $
+.\"     $OpenBSD: res_init.3,v 1.6 2021/11/24 20:06:32 jca Exp $
 .\"
 .\" Copyright (c) 1985, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2021 $
+.Dd $Mdocdate: November 24 2021 $
 .Dt RES_INIT 3
 .Os
 .Sh NAME
@@ -218,6 +218,19 @@ uses 4096 bytes as input buffer size.
 Request that the resolver uses
 Domain Name System Security Extensions (DNSSEC),
 as defined in RFCs 4033, 4034, and 4035.
+The resolver routines will use the EDNS0 extension and set the DNSSEC DO
+flag in queries, asking the name server to signal validated records by
+setting the AD flag in the reply and to attach additional DNSSEC
+records.
+The resolver routines will clear the AD flag in replies unless the name
+servers are considered trusted.
+Also, client applications are often only interested in the value of the
+AD flag, making the additional DNSSEC records a waste of network
+bandwidth.
+See the description for
+.Dq options trust-ad
+in
+.Xr resolv.conf 5 .
 .It Dv RES_USE_CD
 Set the Checking Disabled flag on queries.
 .El