From e84146785972a59918292f70718066fc8f2d51f2 Mon Sep 17 00:00:00 2001
From: jca <>
Date: Mon, 22 Nov 2021 20:18:27 +0000
Subject: Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so.  Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8).  For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".

AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE.  It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.

RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer.  Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.

ok florian@ phessler@
---
 src/lib/libc/net/res_init.3 | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'src/lib/libc')

diff --git a/src/lib/libc/net/res_init.3 b/src/lib/libc/net/res_init.3
index 4a4d0950a5..03e6fca747 100644
--- a/src/lib/libc/net/res_init.3
+++ b/src/lib/libc/net/res_init.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: res_init.3,v 1.4 2020/04/25 21:06:17 jca Exp $
+.\"	$OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $
 .\"
 .\" Copyright (c) 1985, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2020 $
+.Dd $Mdocdate: November 22 2021 $
 .Dt RES_INIT 3
 .Os
 .Sh NAME
@@ -179,6 +179,18 @@ This option has no effect.
 In the past, it turned off the legacy
 .Ev HOSTALIASES
 feature.
+.It Dv RES_TRUSTAD
+If set, the resolver routines will set the AD flag in DNS queries and
+preserve the value of the AD flag in DNS replies.
+If not set, the resolver routines will clear the AD flag in responses.
+Direct use of this option to enable AD bit processing is discouraged.
+Instead the use of trusted name servers should be annotated with
+.Dq options trust-ad
+in
+.Xr resolv.conf 5 .
+This option is automatically enabled if
+.Xr resolv.conf 5
+only lists name servers on localhost.
 .It Dv RES_USE_INET6
 With this option
 .Xr gethostbyname 3
-- 
cgit v1.2.3-55-g6feb