Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so.  Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8).  For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".

AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE.  It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.

RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer.  Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.

ok florian@ phessler@

1 files changed, 2 insertions, 1 deletions

diff --git a/include/resolv.h b/include/resolv.h
index fb02483871e..449779e40fe 100644
--- a/include/resolv.h
+++ b/include/resolv.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: resolv.h,v 1.22 2019/01/14 06:23:06 otto Exp $	*/
+/*	$OpenBSD: resolv.h,v 1.23 2021/11/22 20:18:27 jca Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -191,6 +191,7 @@ struct __res_state_ext {
 /* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
 #define	RES_USE_DNSSEC	0x20000000	/* use DNSSEC using OK bit in OPT */
 #define	RES_USE_CD	0x10000000	/* set Checking Disabled flag */
+#define	RES_TRUSTAD	0x80000000	/* Request AD, keep it in responses. */
 
 #define RES_DEFAULT	(RES_RECURSE | RES_DEFNAMES | RES_DNSRCH)