• R
    set AD bit in dns queries, suppress for internal use · fd7ec068
    Rich Felker 提交于
    the AD (authenticated data) bit in outgoing dns queries is defined by
    rfc3655 to request that the nameserver report (via the same bit in the
    response) whether the result is authenticated by DNSSEC. while all
    results returned by a DNSSEC conforming nameserver will be either
    authenticated or cryptographically proven to lack DNSSEC protection,
    for some applications it's necessary to be able to distinguish these
    two cases. in particular, conforming and compatible handling of DANE
    (TLSA) records requires enforcing them only in signed zones.
    
    when the AD bit was first defined for queries, there were reports of
    compatibility problems with broken firewalls and nameservers dropping
    queries with it set. these problems are probably a thing of the past,
    and broken nameservers are already unsupported. however, since there
    is no use in the AD bit with the netdb.h interfaces, explicitly clear
    it in the queries they make. this ensures that, even with broken
    setups, the standard functions will work, and at most the res_*
    functions break.
    fd7ec068
getnameinfo.c 4.7 KB