Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".

AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.

RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.

ok florian@ phessler@

There are cases where a program doing dns requests wants to set the
Checking Disabled flag. Introduce a RES flag to do so. ok krw@
deraadt@ eric@

Change the (unused) restimespec member of __res_state from a timespec
to a local equivalent to eliminate a dependency on <sys/time.h> being
included

ok deraadt@ millert@

Trim symbols that aren't part of our new resolver

OK semarie@

Remove excessive sys/cdefs.h inclusion
ok guenther millert kettenis

Stop pulling in <sys/param.h>

ok deraadt@

Add a resolv.conf option to specify the order in which getaddrinfo
PF_UNSPEC queries are made. While there change the default from inet6
first then inet4 to inet4 first then inet6, this prevents the many
people with IPv4 only connectivity from constantly trying to contact
IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo
right.

ok deraadt@, plenty of cheering in the room wrt the idea, not loud
enough complaining from the v6 crowd.

make the resolver stat resolv.conf and update if it changes.
useful feedback and ok deraadt@

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

add __bounded__ attributes for userland headers; enabled with -Wbounded
ok deraadt@

backout the __bounded__ attributes for a while; requested by deraadt@

Mark various standard library functions with the __bounded__ attribute.
You must have an up-to-date gcc for this!
deraadt@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@

support EDNS0 (RFC2671) buffer size notification on DNS queries.
"options edns0" in /etc/resolv.conf will enable the behavior. no behavior
change if you don't have the line. see resolv.conf(5) for more details.

EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses.
also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS
clients that support IPv6 transport.

spelling

ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes
ipv6 address.

BIND 4.9.5 includes.

netbsd: bind 4.9.3

branches: 1.1.1;
Initial revision

There are cases where a program doing dns requests wants to set the
Checking Disabled flag. Introduce a RES flag to do so. ok krw@
deraadt@ eric@

Change the (unused) restimespec member of __res_state from a timespec
to a local equivalent to eliminate a dependency on <sys/time.h> being
included

ok deraadt@ millert@

Trim symbols that aren't part of our new resolver

OK semarie@

Remove excessive sys/cdefs.h inclusion
ok guenther millert kettenis

Stop pulling in <sys/param.h>

ok deraadt@

Add a resolv.conf option to specify the order in which getaddrinfo
PF_UNSPEC queries are made. While there change the default from inet6
first then inet4 to inet4 first then inet6, this prevents the many
people with IPv4 only connectivity from constantly trying to contact
IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo
right.

ok deraadt@, plenty of cheering in the room wrt the idea, not loud
enough complaining from the v6 crowd.

make the resolver stat resolv.conf and update if it changes.
useful feedback and ok deraadt@

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

add __bounded__ attributes for userland headers; enabled with -Wbounded
ok deraadt@

backout the __bounded__ attributes for a while; requested by deraadt@

Mark various standard library functions with the __bounded__ attribute.
You must have an up-to-date gcc for this!
deraadt@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@

support EDNS0 (RFC2671) buffer size notification on DNS queries.
"options edns0" in /etc/resolv.conf will enable the behavior. no behavior
change if you don't have the line. see resolv.conf(5) for more details.

EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses.
also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS
clients that support IPv6 transport.

spelling

ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes
ipv6 address.

BIND 4.9.5 includes.

netbsd: bind 4.9.3

branches: 1.1.1;
Initial revision

Change the (unused) restimespec member of __res_state from a timespec
to a local equivalent to eliminate a dependency on <sys/time.h> being
included

ok deraadt@ millert@

Trim symbols that aren't part of our new resolver

OK semarie@

Remove excessive sys/cdefs.h inclusion
ok guenther millert kettenis

Stop pulling in <sys/param.h>

ok deraadt@

Add a resolv.conf option to specify the order in which getaddrinfo
PF_UNSPEC queries are made. While there change the default from inet6
first then inet4 to inet4 first then inet6, this prevents the many
people with IPv4 only connectivity from constantly trying to contact
IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo
right.

ok deraadt@, plenty of cheering in the room wrt the idea, not loud
enough complaining from the v6 crowd.

make the resolver stat resolv.conf and update if it changes.
useful feedback and ok deraadt@

Remove unnecessary typedef usage.

u_char -> unsigned char
u_short -> unsigned short
u_long -> unsigned long
u_int -> unsigned int

okay millert@

add __bounded__ attributes for userland headers; enabled with -Wbounded
ok deraadt@

backout the __bounded__ attributes for a while; requested by deraadt@

Mark various standard library functions with the __bounded__ attribute.
You must have an up-to-date gcc for this!
deraadt@ ok

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

compatiblity -> compatibility
decriptor -> descriptor
authentciated -> authenticated
transmition -> transmission

Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@

support EDNS0 (RFC2671) buffer size notification on DNS queries.
"options edns0" in /etc/resolv.conf will enable the behavior. no behavior
change if you don't have the line. see resolv.conf(5) for more details.

EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses.
also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS
clients that support IPv6 transport.

spelling

ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes
ipv6 address.

BIND 4.9.5 includes.

netbsd: bind 4.9.3

branches: 1.1.1;
Initial revision