diff options
| author | jca <> | 2021-11-22 20:18:27 +0000 |
|---|---|---|
| committer | jca <> | 2021-11-22 20:18:27 +0000 |
| commit | e84146785972a59918292f70718066fc8f2d51f2 (patch) | |
| tree | 6a5cd5be23f80da55e0798ac96cfbf6b27cc930b | |
| parent | d43f8ab6f7b13d308f389ff3c93d1538c0fdfac3 (diff) | |
| download | openbsd-e84146785972a59918292f70718066fc8f2d51f2.tar.gz openbsd-e84146785972a59918292f70718066fc8f2d51f2.tar.bz2 openbsd-e84146785972a59918292f70718066fc8f2d51f2.zip | |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
| -rw-r--r-- | src/lib/libc/net/res_init.3 | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/lib/libc/net/res_init.3 b/src/lib/libc/net/res_init.3 index 4a4d0950a5..03e6fca747 100644 --- a/src/lib/libc/net/res_init.3 +++ b/src/lib/libc/net/res_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: res_init.3,v 1.4 2020/04/25 21:06:17 jca Exp $ | 1 | .\" $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $ |
| 2 | .\" | 2 | .\" |
| 3 | .\" Copyright (c) 1985, 1991, 1993 | 3 | .\" Copyright (c) 1985, 1991, 1993 |
| 4 | .\" The Regents of the University of California. All rights reserved. | 4 | .\" The Regents of the University of California. All rights reserved. |
| @@ -27,7 +27,7 @@ | |||
| 27 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 27 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 28 | .\" SUCH DAMAGE. | 28 | .\" SUCH DAMAGE. |
| 29 | .\" | 29 | .\" |
| 30 | .Dd $Mdocdate: April 25 2020 $ | 30 | .Dd $Mdocdate: November 22 2021 $ |
| 31 | .Dt RES_INIT 3 | 31 | .Dt RES_INIT 3 |
| 32 | .Os | 32 | .Os |
| 33 | .Sh NAME | 33 | .Sh NAME |
| @@ -179,6 +179,18 @@ This option has no effect. | |||
| 179 | In the past, it turned off the legacy | 179 | In the past, it turned off the legacy |
| 180 | .Ev HOSTALIASES | 180 | .Ev HOSTALIASES |
| 181 | feature. | 181 | feature. |
| 182 | .It Dv RES_TRUSTAD | ||
| 183 | If set, the resolver routines will set the AD flag in DNS queries and | ||
| 184 | preserve the value of the AD flag in DNS replies. | ||
| 185 | If not set, the resolver routines will clear the AD flag in responses. | ||
| 186 | Direct use of this option to enable AD bit processing is discouraged. | ||
| 187 | Instead the use of trusted name servers should be annotated with | ||
| 188 | .Dq options trust-ad | ||
| 189 | in | ||
| 190 | .Xr resolv.conf 5 . | ||
| 191 | This option is automatically enabled if | ||
| 192 | .Xr resolv.conf 5 | ||
| 193 | only lists name servers on localhost. | ||
| 182 | .It Dv RES_USE_INET6 | 194 | .It Dv RES_USE_INET6 |
| 183 | With this option | 195 | With this option |
| 184 | .Xr gethostbyname 3 | 196 | .Xr gethostbyname 3 |