Describe what RES_USE_DNSSEC does and how it's affected by trust-ad

author jca <jca@openbsd.org>

Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)

committer jca <jca@openbsd.org>

Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)
author jca <jca@openbsd.org>
Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)
committer jca <jca@openbsd.org>
Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)
diff --git a/lib/libc/net/res_init.3 b/lib/libc/net/res_init.3

index 03e6fca..3e0cabc 100644 (file)
--- a/lib/libc/net/res_init.3
+++ b/lib/libc/net/res_init.3
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $
+.\"    $OpenBSD: res_init.3,v 1.6 2021/11/24 20:06:32 jca Exp $
  .\"
  .\" Copyright (c) 1985, 1991, 1993
  .\"    The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
  .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  .\" SUCH DAMAGE.
  .\"
-.Dd $Mdocdate: November 22 2021 $
+.Dd $Mdocdate: November 24 2021 $
  .Dt RES_INIT 3
  .Os
  .Sh NAME
@@ -218,6 +218,19 @@ uses 4096 bytes as input buffer size.
  Request that the resolver uses
  Domain Name System Security Extensions (DNSSEC),
  as defined in RFCs 4033, 4034, and 4035.
+The resolver routines will use the EDNS0 extension and set the DNSSEC DO
+flag in queries, asking the name server to signal validated records by
+setting the AD flag in the reply and to attach additional DNSSEC
+records.
+The resolver routines will clear the AD flag in replies unless the name
+servers are considered trusted.
+Also, client applications are often only interested in the value of the
+AD flag, making the additional DNSSEC records a waste of network
+bandwidth.
+See the description for
+.Dq options trust-ad
+in
+.Xr resolv.conf 5 .
  .It Dv RES_USE_CD
  Set the Checking Disabled flag on queries.
  .El
author	jca <jca@openbsd.org>
	Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)
committer	jca <jca@openbsd.org>
	Wed, 24 Nov 2021 20:06:32 +0000 (20:06 +0000)