diff options
| author | jca <> | 2021-11-22 20:18:27 +0000 |
|---|---|---|
| committer | jca <> | 2021-11-22 20:18:27 +0000 |
| commit | e84146785972a59918292f70718066fc8f2d51f2 (patch) | |
| tree | 6a5cd5be23f80da55e0798ac96cfbf6b27cc930b /src/lib/libcrypto/asn1/f_int.c | |
| parent | d43f8ab6f7b13d308f389ff3c93d1538c0fdfac3 (diff) | |
| download | openbsd-e84146785972a59918292f70718066fc8f2d51f2.tar.gz openbsd-e84146785972a59918292f70718066fc8f2d51f2.tar.bz2 openbsd-e84146785972a59918292f70718066fc8f2d51f2.zip | |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
Diffstat (limited to 'src/lib/libcrypto/asn1/f_int.c')
0 files changed, 0 insertions, 0 deletions