| #
931108e9 |
| 22-Nov-2021 |
jca <jca@openbsd.org> |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set whe
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
show more ...
|
| #
e6029de6 |
| 02-Apr-2021 |
eric <eric@openbsd.org> |
swap rname and mname in debug output, and handle the USE_CD flag
from Boudewijn Dijkstra
|
| #
515e489c |
| 03-Jul-2019 |
deraadt <deraadt@openbsd.org> |
snprintf/vsnprintf return < 0 on error, rather than -1.
|
| #
b5afe704 |
| 28-Apr-2018 |
schwarze <schwarze@openbsd.org> |
To allow us to get rid of /etc/networks, make getnetby*(3)
wrappers around gethostby*_async(3). If you had anything of
importance in /etc/networks, specify it in /etc/hosts instead.
Feedback and OK
To allow us to get rid of /etc/networks, make getnetby*(3)
wrappers around gethostby*_async(3). If you had anything of
importance in /etc/networks, specify it in /etc/hosts instead.
Feedback and OK eric@, OK deraadt@
show more ...
|
| #
3aff1a83 |
| 27-Feb-2017 |
jca <jca@openbsd.org> |
Recognize and allow bits AD and CD in DNS replies.
Needed for RES_USE_DNSSEC support.
ok eric@ gilles@
|
| #
92f75510 |
| 17-Feb-2017 |
eric <eric@openbsd.org> |
use common errnos instead of random strings as error indicators in
pack/unpack contexts.
ok krw@ deraadt@
|
| #
83d312d6 |
| 28-Oct-2015 |
eric <eric@openbsd.org> |
We are always using _PATH_RESCONF, so no need to remember the path on
the resolver.
ok millert@ deraadt@
|
| #
55f55055 |
| 03-Oct-2015 |
eric <eric@openbsd.org> |
missing asr* -> _asr* symbol rename for building with debug code
ok jca@
|
| #
253ef892 |
| 09-Sep-2015 |
deraadt <deraadt@openbsd.org> |
Hide all unnecessary asr / resolver related API with _ prefixes.
direction & ok guenther
|
| #
134ba205 |
| 20-Jun-2015 |
jca <jca@openbsd.org> |
Rename print_sockaddr() to avoid symbol visibility problems
print_sockaddr is internal to asr, and conflicts with ports/net/samba4.
ok eric@
|
| #
d2d7f9c9 |
| 26-May-2015 |
eric <eric@openbsd.org> |
simply use _PATH_HOSTS where appropriate
|
| #
d216d6b1 |
| 26-Mar-2014 |
eric <eric@openbsd.org> |
Make the asr API public. Install asr.h to /usr/include.h and manpages.
Include tweaks suggested by mpi@
ok deraadt@
|
| #
5be03f8f |
| 25-Mar-2014 |
eric <eric@openbsd.org> |
Cleanup and simplify the API to be exposed. Use better names for
structures, functions and defines.
discussed with and ok deraadt@ guenther@
|
| #
f90bf415 |
| 14-Mar-2014 |
eric <eric@openbsd.org> |
prefix structure names to avoid ambiguity and possible collisions when
the API gets public.
ok deraadt@
|
| #
5bd9e5c2 |
| 12-Jul-2013 |
eric <eric@openbsd.org> |
Make some symbols static and prefix all visible symbols with asr_
to prevent collisions with third-party programs.
suggested by sthen@, ok theo@
|
| #
1ed934d0 |
| 27-May-2013 |
eric <eric@openbsd.org> |
Add minimal support for _res setup and update.
Change res_init() to initialize the _res structure on first call, and
udpate the global async context if changes were made by the user. All
resolver fu
Add minimal support for _res setup and update.
Change res_init() to initialize the _res structure on first call, and
udpate the global async context if changes were made by the user. All
resolver functions now call res_init() internally.
fixes issue spotted by otto@
show more ...
|
| #
6a166a79 |
| 09-Apr-2013 |
otto <otto@openbsd.org> |
show what we parsed in debug output; ok guether@
|
| #
43f9b988 |
| 01-Apr-2013 |
deraadt <deraadt@openbsd.org> |
space cleanup; ok eric
|
| #
80f48568 |
| 24-Nov-2012 |
eric <eric@openbsd.org> |
knf
|
| #
975956b6 |
| 24-Nov-2012 |
eric <eric@openbsd.org> |
make separate structures for pack and unpack
|
| #
d4cf23af |
| 09-Sep-2012 |
eric <eric@openbsd.org> |
cleanup asr_debug.c
|
| #
46ab4803 |
| 09-Sep-2012 |
eric <eric@openbsd.org> |
use proper macros for debug traces.
|
| #
c5c8c49b |
| 05-Sep-2012 |
eric <eric@openbsd.org> |
Get rid of the hostaddr_async subquery and merge its behaviour
directly into getaddrinfo_async_run. Simplifies everything by
a great deal.
|
| #
d95d6a55 |
| 05-Sep-2012 |
eric <eric@openbsd.org> |
Make hostaddr_async() return a linked list of struct addrinfo. First
round of a getaddrinfo_async() simplification. The goal is to make YP
support easier to add, and eventually remove the whole host
Make hostaddr_async() return a linked list of struct addrinfo. First
round of a getaddrinfo_async() simplification. The goal is to make YP
support easier to add, and eventually remove the whole hostaddr_async
subquery.
show more ...
|
| #
6ca0a31f |
| 07-Jul-2012 |
eric <eric@openbsd.org> |
rename function to avoid symbol clash
|