Linux-man Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] resolv.5: Document the trust-ad option
@ 2020-10-12 11:22 Florian Weimer
  2020-10-12 18:55 ` Michael Kerrisk (man-pages)
  0 siblings, 1 reply; 2+ messages in thread
From: Florian Weimer @ 2020-10-12 11:22 UTC (permalink / raw)
  To: linux-man

Signed-off-by: Florian Weimer <fweimer@redhat.com>

---
 man5/resolv.conf.5 | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5
index 7013c8a28..6f3de7faf 100644
--- a/man5/resolv.conf.5
+++ b/man5/resolv.conf.5
@@ -35,9 +35,10 @@ The resolver configuration file contains information that is read
 by the resolver routines the first time they are invoked by a process.
 The file is designed to be human readable and contains a list of
 keywords with values that provide various types of resolver information.
-The configuration file is considered a trusted source of DNS information
-(e.g., DNSSEC AD-bit information will be returned unmodified from this
-source).
+The configuration file is considered a trusted source of DNS information;
+see the
+.B trust-ad
+option below for details.
 .PP
 If this file does not exist, only the name server on the local machine
 will be queried, and the search list contains the local domain name
@@ -317,6 +318,30 @@ Sets
 in
 .IR _res.options .
 This option disables automatic reloading of a changed configuration file.
+.TP
+.BR trust\-ad " (since glibc 2.31)"
+.\" 446997ff1433d33452b81dfa9e626b8dccf101a4
+Sets
+.BR RES_TRUSTAD
+in
+.IR _res.options .
+This option controls the AD bit behavior of the stub resolver.  If a
+validating resolver sets the AD bit in a response, it indicates that
+the data in the response was verified according to the DNSSEC
+protocol.  In order to rely on the AD bit, the local system has to
+trust both the DNSSEC-validating resolver and the network path to it,
+which is why an explicit opt-in is required.  If the
+.B trust\-ad
+option is active, the stub resolver sets the AD bit in outgoing DNS
+queries (to enable AD bit support), and preserves the AD bit in
+responses.  Without this option, the AD bit is not set in queries, and
+it is always removed from responses before they are returned to the
+application.  This means that applications can trust the AD bit in
+responses if the
+.B trust\-ad
+option has been set correctly.  In glibc version 2.30 and earlier, the
+AD is not set automatically in queries, and passed through unchanged
+to applications in responses.
 .RE
 .PP
 The \fIsearch\fP keyword of a system's \fIresolv.conf\fP file can be

-- 
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] resolv.5: Document the trust-ad option
  2020-10-12 11:22 [PATCH] resolv.5: Document the trust-ad option Florian Weimer
@ 2020-10-12 18:55 ` Michael Kerrisk (man-pages)
  0 siblings, 0 replies; 2+ messages in thread
From: Michael Kerrisk (man-pages) @ 2020-10-12 18:55 UTC (permalink / raw)
  To: Florian Weimer, linux-man; +Cc: mtk.manpages

On 10/12/20 1:22 PM, Florian Weimer wrote:
> Signed-off-by: Florian Weimer <fweimer@redhat.com>

Thanks, Florian. Patch applied.

Cheers

Michael

> ---
>  man5/resolv.conf.5 | 31 ++++++++++++++++++++++++++++---
>  1 file changed, 28 insertions(+), 3 deletions(-)
> 
> diff --git a/man5/resolv.conf.5 b/man5/resolv.conf.5
> index 7013c8a28..6f3de7faf 100644
> --- a/man5/resolv.conf.5
> +++ b/man5/resolv.conf.5
> @@ -35,9 +35,10 @@ The resolver configuration file contains information that is read
>  by the resolver routines the first time they are invoked by a process.
>  The file is designed to be human readable and contains a list of
>  keywords with values that provide various types of resolver information.
> -The configuration file is considered a trusted source of DNS information
> -(e.g., DNSSEC AD-bit information will be returned unmodified from this
> -source).
> +The configuration file is considered a trusted source of DNS information;
> +see the
> +.B trust-ad
> +option below for details.
>  .PP
>  If this file does not exist, only the name server on the local machine
>  will be queried, and the search list contains the local domain name
> @@ -317,6 +318,30 @@ Sets
>  in
>  .IR _res.options .
>  This option disables automatic reloading of a changed configuration file.
> +.TP
> +.BR trust\-ad " (since glibc 2.31)"
> +.\" 446997ff1433d33452b81dfa9e626b8dccf101a4
> +Sets
> +.BR RES_TRUSTAD
> +in
> +.IR _res.options .
> +This option controls the AD bit behavior of the stub resolver.  If a
> +validating resolver sets the AD bit in a response, it indicates that
> +the data in the response was verified according to the DNSSEC
> +protocol.  In order to rely on the AD bit, the local system has to
> +trust both the DNSSEC-validating resolver and the network path to it,
> +which is why an explicit opt-in is required.  If the
> +.B trust\-ad
> +option is active, the stub resolver sets the AD bit in outgoing DNS
> +queries (to enable AD bit support), and preserves the AD bit in
> +responses.  Without this option, the AD bit is not set in queries, and
> +it is always removed from responses before they are returned to the
> +application.  This means that applications can trust the AD bit in
> +responses if the
> +.B trust\-ad
> +option has been set correctly.  In glibc version 2.30 and earlier, the
> +AD is not set automatically in queries, and passed through unchanged
> +to applications in responses.
>  .RE
>  .PP
>  The \fIsearch\fP keyword of a system's \fIresolv.conf\fP file can be
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-12 11:22 [PATCH] resolv.5: Document the trust-ad option Florian Weimer
2020-10-12 18:55 ` Michael Kerrisk (man-pages)

Linux-man Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-man/0 linux-man/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-man linux-man/ https://lore.kernel.org/linux-man \
		linux-man@vger.kernel.org
	public-inbox-index linux-man

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-man


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git