Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so.  Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8).  For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".

AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE.  It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.

RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer.  Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.

ok florian@ phessler@

1 files changed, 2 insertions, 1 deletions

diff --git a/lib/libc/asr/asr_debug.c b/lib/libc/asr/asr_debug.c
index f9378d156b7..791a067f72d 100644
--- a/lib/libc/asr/asr_debug.c
+++ b/lib/libc/asr/asr_debug.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: asr_debug.c,v 1.27 2021/04/02 07:00:30 eric Exp $	*/
+/*	$OpenBSD: asr_debug.c,v 1.28 2021/11/22 20:18:27 jca Exp $	*/
 /*
  * Copyright (c) 2012 Eric Faurot <eric@openbsd.org>
  *
@@ -286,6 +286,7 @@ _asr_dump_config(FILE *f, struct asr *a)
 	PRINTOPT(RES_USE_EDNS0, "USE_EDNS0");
 	PRINTOPT(RES_USE_DNSSEC, "USE_DNSSEC");
 	PRINTOPT(RES_USE_CD, "USE_CD");
+	PRINTOPT(RES_TRUSTAD, "TRUSTAD");
 	if (o)
 		fprintf(f, " 0x%08x", o);
 	fprintf(f, "\n");