#
1.23 |
|
22-Nov-2021 |
jca |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware" resolver to do so. Let's send queries with the AD flag set when appropriate, and let applications look at the AD flag in responses in a safe way, ie clear the AD flag if the resolvers aren't trusted. By default we only trust resolvers if resolv.conf(5) only lists name servers on localhost - the obvious candidates being unwind(8) and unbound(8). For non-localhost resolvers, an admin who trusts *all the name servers* listed in resolv.conf(5) *and the network path leading to them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch SSHFP records in a secure manner, and tightens the situation for other applications, eg those using RES_USE_DNSSEC for DANE. It should be noted that postfix currently assumes trusted name servers by default and forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by Florian Weimer. Florian Obser (florian@) contributed various improvements, fixed a bug and added automatic trust for name servers on localhost.
ok florian@ phessler@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.22 |
|
14-Jan-2019 |
otto |
There are cases where a program doing dns requests wants to set the Checking Disabled flag. Introduce a RES flag to do so. ok krw@ deraadt@ eric@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
12-Sep-2016 |
guenther |
Change the (unused) restimespec member of __res_state from a timespec to a local equivalent to eliminate a dependency on <sys/time.h> being included
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.20 |
|
25-Sep-2015 |
guenther |
Trim symbols that aren't part of our new resolver
OK semarie@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.19 |
|
05-Dec-2012 |
deraadt |
Remove excessive sys/cdefs.h inclusion ok guenther millert kettenis
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.18 |
|
10-Jul-2012 |
guenther |
Stop pulling in <sys/param.h>
ok deraadt@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.17 |
|
04-Jun-2009 |
pyr |
Add a resolv.conf option to specify the order in which getaddrinfo PF_UNSPEC queries are made. While there change the default from inet6 first then inet4 to inet4 first then inet6, this prevents the many people with IPv4 only connectivity from constantly trying to contact IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo right.
ok deraadt@, plenty of cheering in the room wrt the idea, not loud enough complaining from the v6 crowd.
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE
|
#
1.16 |
|
30-Mar-2005 |
tedu |
make the resolver stat resolv.conf and update if it changes. useful feedback and ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.15 |
|
22-Jan-2004 |
espie |
Remove unnecessary typedef usage.
u_char -> unsigned char u_short -> unsigned short u_long -> unsigned long u_int -> unsigned int
okay millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.14 |
|
01-Aug-2003 |
avsm |
add __bounded__ attributes for userland headers; enabled with -Wbounded ok deraadt@
|
#
1.13 |
|
26-Jun-2003 |
avsm |
backout the __bounded__ attributes for a while; requested by deraadt@
|
#
1.12 |
|
26-Jun-2003 |
avsm |
Mark various standard library functions with the __bounded__ attribute. You must have an up-to-date gcc for this! deraadt@ ok
|
#
1.11 |
|
02-Jun-2003 |
millert |
Remove the advertising clause in the UCB license which Berkeley rescinded 22 July 1999. Proofed by myself and Theo.
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.10 |
|
03-Jun-2002 |
deraadt |
compatiblity -> compatibility decriptor -> descriptor authentciated -> authenticated transmition -> transmission
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
17-Feb-2002 |
millert |
Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)
|
#
1.8 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.7 |
|
31-Jul-2001 |
jakob |
add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@
|
#
1.6 |
|
11-Jun-2001 |
itojun |
support EDNS0 (RFC2671) buffer size notification on DNS queries. "options edns0" in /etc/resolv.conf will enable the behavior. no behavior change if you don't have the line. see resolv.conf(5) for more details.
EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses. also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS clients that support IPv6 transport.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
04-Jan-2001 |
todd |
spelling
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.4 |
|
22-Jun-2000 |
itojun |
ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes ipv6 address.
|
Revision tags: OPENBSD_2_1_BASE OPENBSD_2_2_BASE OPENBSD_2_3_BASE OPENBSD_2_4_BASE OPENBSD_2_5_BASE OPENBSD_2_6_BASE OPENBSD_2_7_BASE
|
#
1.3 |
|
13-Mar-1997 |
downsj |
BIND 4.9.5 includes.
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.2 |
|
19-Feb-1996 |
dm |
netbsd: bind 4.9.3
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
#
1.22 |
|
14-Jan-2019 |
otto |
There are cases where a program doing dns requests wants to set the Checking Disabled flag. Introduce a RES flag to do so. ok krw@ deraadt@ eric@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.21 |
|
12-Sep-2016 |
guenther |
Change the (unused) restimespec member of __res_state from a timespec to a local equivalent to eliminate a dependency on <sys/time.h> being included
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.20 |
|
25-Sep-2015 |
guenther |
Trim symbols that aren't part of our new resolver
OK semarie@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.19 |
|
05-Dec-2012 |
deraadt |
Remove excessive sys/cdefs.h inclusion ok guenther millert kettenis
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.18 |
|
10-Jul-2012 |
guenther |
Stop pulling in <sys/param.h>
ok deraadt@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.17 |
|
04-Jun-2009 |
pyr |
Add a resolv.conf option to specify the order in which getaddrinfo PF_UNSPEC queries are made. While there change the default from inet6 first then inet4 to inet4 first then inet6, this prevents the many people with IPv4 only connectivity from constantly trying to contact IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo right.
ok deraadt@, plenty of cheering in the room wrt the idea, not loud enough complaining from the v6 crowd.
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE
|
#
1.16 |
|
30-Mar-2005 |
tedu |
make the resolver stat resolv.conf and update if it changes. useful feedback and ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.15 |
|
22-Jan-2004 |
espie |
Remove unnecessary typedef usage.
u_char -> unsigned char u_short -> unsigned short u_long -> unsigned long u_int -> unsigned int
okay millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.14 |
|
01-Aug-2003 |
avsm |
add __bounded__ attributes for userland headers; enabled with -Wbounded ok deraadt@
|
#
1.13 |
|
26-Jun-2003 |
avsm |
backout the __bounded__ attributes for a while; requested by deraadt@
|
#
1.12 |
|
26-Jun-2003 |
avsm |
Mark various standard library functions with the __bounded__ attribute. You must have an up-to-date gcc for this! deraadt@ ok
|
#
1.11 |
|
02-Jun-2003 |
millert |
Remove the advertising clause in the UCB license which Berkeley rescinded 22 July 1999. Proofed by myself and Theo.
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.10 |
|
03-Jun-2002 |
deraadt |
compatiblity -> compatibility decriptor -> descriptor authentciated -> authenticated transmition -> transmission
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
17-Feb-2002 |
millert |
Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)
|
#
1.8 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.7 |
|
31-Jul-2001 |
jakob |
add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@
|
#
1.6 |
|
11-Jun-2001 |
itojun |
support EDNS0 (RFC2671) buffer size notification on DNS queries. "options edns0" in /etc/resolv.conf will enable the behavior. no behavior change if you don't have the line. see resolv.conf(5) for more details.
EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses. also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS clients that support IPv6 transport.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
04-Jan-2001 |
todd |
spelling
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.4 |
|
22-Jun-2000 |
itojun |
ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes ipv6 address.
|
Revision tags: OPENBSD_2_1_BASE OPENBSD_2_2_BASE OPENBSD_2_3_BASE OPENBSD_2_4_BASE OPENBSD_2_5_BASE OPENBSD_2_6_BASE OPENBSD_2_7_BASE
|
#
1.3 |
|
13-Mar-1997 |
downsj |
BIND 4.9.5 includes.
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.2 |
|
19-Feb-1996 |
dm |
netbsd: bind 4.9.3
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.21 |
|
12-Sep-2016 |
guenther |
Change the (unused) restimespec member of __res_state from a timespec to a local equivalent to eliminate a dependency on <sys/time.h> being included
ok deraadt@ millert@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.20 |
|
25-Sep-2015 |
guenther |
Trim symbols that aren't part of our new resolver
OK semarie@
|
Revision tags: OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.19 |
|
05-Dec-2012 |
deraadt |
Remove excessive sys/cdefs.h inclusion ok guenther millert kettenis
|
Revision tags: OPENBSD_5_2_BASE
|
#
1.18 |
|
10-Jul-2012 |
guenther |
Stop pulling in <sys/param.h>
ok deraadt@
|
Revision tags: OPENBSD_4_6_BASE OPENBSD_4_7_BASE OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.17 |
|
04-Jun-2009 |
pyr |
Add a resolv.conf option to specify the order in which getaddrinfo PF_UNSPEC queries are made. While there change the default from inet6 first then inet4 to inet4 first then inet6, this prevents the many people with IPv4 only connectivity from constantly trying to contact IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo right.
ok deraadt@, plenty of cheering in the room wrt the idea, not loud enough complaining from the v6 crowd.
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE OPENBSD_4_0_BASE OPENBSD_4_1_BASE OPENBSD_4_2_BASE OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE
|
#
1.16 |
|
30-Mar-2005 |
tedu |
make the resolver stat resolv.conf and update if it changes. useful feedback and ok deraadt@
|
Revision tags: OPENBSD_3_5_BASE OPENBSD_3_6_BASE OPENBSD_3_7_BASE
|
#
1.15 |
|
22-Jan-2004 |
espie |
Remove unnecessary typedef usage.
u_char -> unsigned char u_short -> unsigned short u_long -> unsigned long u_int -> unsigned int
okay millert@
|
Revision tags: OPENBSD_3_4_BASE
|
#
1.14 |
|
01-Aug-2003 |
avsm |
add __bounded__ attributes for userland headers; enabled with -Wbounded ok deraadt@
|
#
1.13 |
|
26-Jun-2003 |
avsm |
backout the __bounded__ attributes for a while; requested by deraadt@
|
#
1.12 |
|
26-Jun-2003 |
avsm |
Mark various standard library functions with the __bounded__ attribute. You must have an up-to-date gcc for this! deraadt@ ok
|
#
1.11 |
|
02-Jun-2003 |
millert |
Remove the advertising clause in the UCB license which Berkeley rescinded 22 July 1999. Proofed by myself and Theo.
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE
|
#
1.10 |
|
03-Jun-2002 |
deraadt |
compatiblity -> compatibility decriptor -> descriptor authentciated -> authenticated transmition -> transmission
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.9 |
|
17-Feb-2002 |
millert |
Manual cleanup of remaining userland __P use (excluding packages maintained outside the tree)
|
#
1.8 |
|
16-Feb-2002 |
millert |
Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.
|
Revision tags: OPENBSD_3_0_BASE
|
#
1.7 |
|
31-Jul-2001 |
jakob |
add support for EDNS0 extended flag DNSSEC OK (aka DO). ok deraadt@
|
#
1.6 |
|
11-Jun-2001 |
itojun |
support EDNS0 (RFC2671) buffer size notification on DNS queries. "options edns0" in /etc/resolv.conf will enable the behavior. no behavior change if you don't have the line. see resolv.conf(5) for more details.
EDNS0 is useful for avoiding TCP DNS queries/replies on larger DNS responses. also, draft-ietf-dnsext-message-size-* plans to mandate EDNS0 support for DNS clients that support IPv6 transport.
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.5 |
|
04-Jan-2001 |
todd |
spelling
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.4 |
|
22-Jun-2000 |
itojun |
ipv6 support in resolver. "nameserver" line in /etc/resolv.conf now takes ipv6 address.
|
Revision tags: OPENBSD_2_1_BASE OPENBSD_2_2_BASE OPENBSD_2_3_BASE OPENBSD_2_4_BASE OPENBSD_2_5_BASE OPENBSD_2_6_BASE OPENBSD_2_7_BASE
|
#
1.3 |
|
13-Mar-1997 |
downsj |
BIND 4.9.5 includes.
|
Revision tags: OPENBSD_2_0_BASE
|
#
1.2 |
|
19-Feb-1996 |
dm |
netbsd: bind 4.9.3
|
#
1.1 |
|
18-Oct-1995 |
deraadt |
branches: 1.1.1; Initial revision
|