From e240e3c78d08e3e82cb9a1b3aa5e823378ad9092 Mon Sep 17 00:00:00 2001 From: jca Date: Wed, 24 Nov 2021 20:06:32 +0000 Subject: [PATCH] Describe what RES_USE_DNSSEC does and how it's affected by trust-ad ok florian@ --- lib/libc/net/res_init.3 | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/libc/net/res_init.3 b/lib/libc/net/res_init.3 index 03e6fca7470..3e0cabc3583 100644 --- a/lib/libc/net/res_init.3 +++ b/lib/libc/net/res_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: res_init.3,v 1.5 2021/11/22 20:18:27 jca Exp $ +.\" $OpenBSD: res_init.3,v 1.6 2021/11/24 20:06:32 jca Exp $ .\" .\" Copyright (c) 1985, 1991, 1993 .\" The Regents of the University of California. All rights reserved. @@ -27,7 +27,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: November 22 2021 $ +.Dd $Mdocdate: November 24 2021 $ .Dt RES_INIT 3 .Os .Sh NAME @@ -218,6 +218,19 @@ uses 4096 bytes as input buffer size. Request that the resolver uses Domain Name System Security Extensions (DNSSEC), as defined in RFCs 4033, 4034, and 4035. +The resolver routines will use the EDNS0 extension and set the DNSSEC DO +flag in queries, asking the name server to signal validated records by +setting the AD flag in the reply and to attach additional DNSSEC +records. +The resolver routines will clear the AD flag in replies unless the name +servers are considered trusted. +Also, client applications are often only interested in the value of the +AD flag, making the additional DNSSEC records a waste of network +bandwidth. +See the description for +.Dq options trust-ad +in +.Xr resolv.conf 5 . .It Dv RES_USE_CD Set the Checking Disabled flag on queries. .El -- 2.20.1