diff options
| author | jca <> | 2021-11-22 20:18:27 +0000 |
|---|---|---|
| committer | jca <> | 2021-11-22 20:18:27 +0000 |
| commit | ca02920211b601ee0c85b3f9e9730859d617b1c2 (patch) | |
| tree | 6a5cd5be23f80da55e0798ac96cfbf6b27cc930b /src/lib/libssl/ssl_ciph.c | |
| parent | 91b883c95556fe6a30bb452776e5ad062929ab8d (diff) | |
| download | openbsd-ca02920211b601ee0c85b3f9e9730859d617b1c2.tar.gz openbsd-ca02920211b601ee0c85b3f9e9730859d617b1c2.tar.bz2 openbsd-ca02920211b601ee0c85b3f9e9730859d617b1c2.zip | |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
Diffstat (limited to 'src/lib/libssl/ssl_ciph.c')
0 files changed, 0 insertions, 0 deletions