libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
PF_UNSPEC queries are made. While there change the default from inet6
first then inet4 to inet4 first then inet6, this prevents the many
people with IPv4 only connectivity from constantly trying to contact
IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo
right.
ok deraadt@, plenty of cheering in the room wrt the idea, not loud
enough complaining from the v6 crowd.
"options edns0" in /etc/resolv.conf will enable the behavior. no behavior
change if you don't have the line. see resolv.conf(5) for more details.
EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses.
also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS
clients that support IPv6 transport.
