On Tue, May 19, 2020 at 05:19:26PM -0400, Wietse Venema wrote:
> > https://git.musl-libc.org/cgit/musl/commit/?id=fd7ec068efd590c0393a612599a4fab9bb0a8633
>
> I understand that the AD (authentic data) bit now is 'true' if
> DNSSEC validation was successful. Thanks for that.
>
> Meanwhile I'll look into the possibility of a quick runtime check
> whether AD is propagated. It may be missing for reasons that have
> nothing to do with libc-musl.
But keep in mind that the AD bit (in outgoing queries) is not required
in outgoing queries if the DO bit is instead present in the EDNS OPT RR.
Indeed that's what happens with "old glibc" and BSD libc. We set
RES_USE_DNSSEC and the library sets the DO bit.
Setting just the AD bit is a recent innovation with new glibc, where we
may/must set RES_TRUST_AD instead, and with future MUSL where
RES_USE_DNSSEC is a NOOP, but the AD bit may be set in res_mkquery(),
which we can perhaps check by inspecting the output of a suitable
res_mkquery() call during initialization.
For the initialization call be to general, it needs to include detection
and parsing of EDNS OPT psuedo-RRs, with success either if the AD-bit
is set or the DO bit is set.
Another option, is to use res_mkquery() + res_send() rather than
res_search(), in which case we can set the AD bit, and not even
bother with RES_USE_DNSSEC|RES_EDNS0.
--
Viktor.
