#
1.14 |
|
22-Nov-2021 |
jca |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware" resolver to do so. Let's send queries with the AD flag set when appropriate, and let applications look at the AD flag in responses in a safe way, ie clear the AD flag if the resolvers aren't trusted. By default we only trust resolvers if resolv.conf(5) only lists name servers on localhost - the obvious candidates being unwind(8) and unbound(8). For non-localhost resolvers, an admin who trusts *all the name servers* listed in resolv.conf(5) *and the network path leading to them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch SSHFP records in a secure manner, and tightens the situation for other applications, eg those using RES_USE_DNSSEC for DANE. It should be noted that postfix currently assumes trusted name servers by default and forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by Florian Weimer. Florian Obser (florian@) contributed various improvements, fixed a bug and added automatic trust for name servers on localhost.
ok florian@ phessler@
|
Revision tags: OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE
|
#
1.13 |
|
14-Jan-2019 |
otto |
Unbreak tree. Last minute changes are evil.
|
#
1.12 |
|
14-Jan-2019 |
otto |
There are cases where a program doing dns requests wants to set the Checking Disabled flag. Introduce a RES flag to do so. ok krw@ deraadt@ eric@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.11 |
|
27-Feb-2017 |
jca |
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing queries. The resolver is then supposed to set the AD bit in the reply if it managed to validate the answer through DNSSEC. Useful when the application doesn't implement validation internally. This scheme assumes that the validating resolver is trusted and that the communication channel between the validating resolver and and the client is secure.
ok eric@ gilles@
|
#
1.10 |
|
18-Feb-2017 |
jca |
Add EDNS0 support.
EDNS allows for various DNS extensions, among which UDP DNS packets size bigger than 512 bytes. The default is still to not advertize anything.
ok eric@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
09-Sep-2015 |
deraadt |
Hide all unnecessary asr / resolver related API with _ prefixes. direction & ok guenther
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.8 |
|
26-Mar-2014 |
eric |
Make the asr API public. Install asr.h to /usr/include.h and manpages. Include tweaks suggested by mpi@
ok deraadt@
|
#
1.7 |
|
14-Mar-2014 |
eric |
prefix structure names to avoid ambiguity and possible collisions when the API gets public.
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.6 |
|
12-Jul-2013 |
eric |
Make some symbols static and prefix all visible symbols with asr_ to prevent collisions with third-party programs.
suggested by sthen@, ok theo@
|
#
1.5 |
|
01-Apr-2013 |
eric |
properly check for domain name truncation at various places and fail if that happens.
prodded by deraadt@
|
#
1.4 |
|
29-Mar-2013 |
guenther |
res_querydomain()'s code to terminate the domain with '.' had the assignment flipped so that it always used a domain of ".."
Heavy lifting by otto@ ok eric@ otto@ miod@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.3 |
|
24-Nov-2012 |
eric |
knf
|
#
1.2 |
|
24-Nov-2012 |
eric |
make separate structures for pack and unpack
|
#
1.1 |
|
08-Sep-2012 |
eric |
split asr_resolver.c into different files to overlay the libc/net resolver implementation.
|
#
1.13 |
|
14-Jan-2019 |
otto |
Unbreak tree. Last minute changes are evil.
|
#
1.12 |
|
14-Jan-2019 |
otto |
There are cases where a program doing dns requests wants to set the Checking Disabled flag. Introduce a RES flag to do so. ok krw@ deraadt@ eric@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE
|
#
1.11 |
|
27-Feb-2017 |
jca |
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing queries. The resolver is then supposed to set the AD bit in the reply if it managed to validate the answer through DNSSEC. Useful when the application doesn't implement validation internally. This scheme assumes that the validating resolver is trusted and that the communication channel between the validating resolver and and the client is secure.
ok eric@ gilles@
|
#
1.10 |
|
18-Feb-2017 |
jca |
Add EDNS0 support.
EDNS allows for various DNS extensions, among which UDP DNS packets size bigger than 512 bytes. The default is still to not advertize anything.
ok eric@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
09-Sep-2015 |
deraadt |
Hide all unnecessary asr / resolver related API with _ prefixes. direction & ok guenther
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.8 |
|
26-Mar-2014 |
eric |
Make the asr API public. Install asr.h to /usr/include.h and manpages. Include tweaks suggested by mpi@
ok deraadt@
|
#
1.7 |
|
14-Mar-2014 |
eric |
prefix structure names to avoid ambiguity and possible collisions when the API gets public.
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.6 |
|
12-Jul-2013 |
eric |
Make some symbols static and prefix all visible symbols with asr_ to prevent collisions with third-party programs.
suggested by sthen@, ok theo@
|
#
1.5 |
|
01-Apr-2013 |
eric |
properly check for domain name truncation at various places and fail if that happens.
prodded by deraadt@
|
#
1.4 |
|
29-Mar-2013 |
guenther |
res_querydomain()'s code to terminate the domain with '.' had the assignment flipped so that it always used a domain of ".."
Heavy lifting by otto@ ok eric@ otto@ miod@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.3 |
|
24-Nov-2012 |
eric |
knf
|
#
1.2 |
|
24-Nov-2012 |
eric |
make separate structures for pack and unpack
|
#
1.1 |
|
08-Sep-2012 |
eric |
split asr_resolver.c into different files to overlay the libc/net resolver implementation.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.11 |
|
27-Feb-2017 |
jca |
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing queries. The resolver is then supposed to set the AD bit in the reply if it managed to validate the answer through DNSSEC. Useful when the application doesn't implement validation internally. This scheme assumes that the validating resolver is trusted and that the communication channel between the validating resolver and and the client is secure.
ok eric@ gilles@
|
#
1.10 |
|
18-Feb-2017 |
jca |
Add EDNS0 support.
EDNS allows for various DNS extensions, among which UDP DNS packets size bigger than 512 bytes. The default is still to not advertize anything.
ok eric@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.9 |
|
09-Sep-2015 |
deraadt |
Hide all unnecessary asr / resolver related API with _ prefixes. direction & ok guenther
|
Revision tags: OPENBSD_5_6_BASE OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.8 |
|
26-Mar-2014 |
eric |
Make the asr API public. Install asr.h to /usr/include.h and manpages. Include tweaks suggested by mpi@
ok deraadt@
|
#
1.7 |
|
14-Mar-2014 |
eric |
prefix structure names to avoid ambiguity and possible collisions when the API gets public.
ok deraadt@
|
Revision tags: OPENBSD_5_4_BASE OPENBSD_5_5_BASE
|
#
1.6 |
|
12-Jul-2013 |
eric |
Make some symbols static and prefix all visible symbols with asr_ to prevent collisions with third-party programs.
suggested by sthen@, ok theo@
|
#
1.5 |
|
01-Apr-2013 |
eric |
properly check for domain name truncation at various places and fail if that happens.
prodded by deraadt@
|
#
1.4 |
|
29-Mar-2013 |
guenther |
res_querydomain()'s code to terminate the domain with '.' had the assignment flipped so that it always used a domain of ".."
Heavy lifting by otto@ ok eric@ otto@ miod@
|
Revision tags: OPENBSD_5_3_BASE
|
#
1.3 |
|
24-Nov-2012 |
eric |
knf
|
#
1.2 |
|
24-Nov-2012 |
eric |
make separate structures for pack and unpack
|
#
1.1 |
|
08-Sep-2012 |
eric |
split asr_resolver.c into different files to overlay the libc/net resolver implementation.
|