From bd434151910050c9b9259432fe7a0c0542edf08d Mon Sep 17 00:00:00 2001
From: jakob <>
Date: Wed, 8 Aug 2001 16:28:43 +0000
Subject: add CAVEATS section that talks about trust and the AD-bit

---
 src/lib/libc/net/getrrsetbyname.3 | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/libc/net/getrrsetbyname.3 b/src/lib/libc/net/getrrsetbyname.3
index 19a89d985e..1cec0c726b 100644
--- a/src/lib/libc/net/getrrsetbyname.3
+++ b/src/lib/libc/net/getrrsetbyname.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: getrrsetbyname.3,v 1.3 2001/08/06 15:10:23 jakob Exp $
+.\" $OpenBSD: getrrsetbyname.3,v 1.4 2001/08/08 16:28:43 jakob Exp $
 .\"
 .\" Copyright (C) 2000, 2001  Internet Software Consortium.
 .\"
@@ -151,3 +151,13 @@ The data in
 should be returned in uncompressed wire format.
 Currently, the data is in compressed format and the caller can't
 uncompress since it doesn't have the full message.
+.Sh CAVEATS
+The
+.Dv RRSET_VALIDATED
+flag in
+.Li rri_flags
+is set if the AD (autenticated data) bit in the DNS answer is
+set. This flag
+.Em should not
+be trusted unless the transport between the nameserver and the resolver
+is secure (e.g. IPsec, trusted network, loopback communication).
-- 
cgit v1.2.3-55-g6feb