| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok florian@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
|
| |
|
|
| |
Suggested by Evan Silberman, confirmed by jmc@
|
| |
|
|
| |
Suggested by eric@, input from deraadt@, ok deraadt@ eric@
|
| |
|
|
|
|
|
|
|
|
| |
The previous wording implied this option does nothing, which is wrong.
This option does affect the way gethostbyname(3) works on OpenBSD
(return IPv6 addresses if available). On some systems, it also
introduces IPv4-mapped IPv6 addresses, a "feature" that we don't
support.
ok deraadt@ eric@
|
|
|
and correct Xr.
ok jmc
|
