Package: resolvconf Version: 1.79 glibc 2.31 has support for recognizing that the name servers listed in /etc/resolv.conf are reached over a trusted network path and implement DNSSEC correctly (but do not necessarily perform validation):
* The DNS stub resolver will optionally send the AD (authenticated data) bit in queries if the trust-ad option is set via the options directive in /etc/resolv.conf (or if RES_TRUSTAD is set in _res.options). In this mode, the AD bit, as provided by the name server, is available to applications which call res_search and related functions. In the default mode, the AD bit is not set in queries, and it is automatically cleared in responses, indicating a lack of DNSSEC validation. (Therefore, the name servers and the network path to them are treated as untrusted.) If resolvconf is used to set up a local caching resolver on 127.0.0.1 and that solver handles the AD bit properly (merely reflecting it in the response would be wrong—but actual DNSSEC validation is not required), then the generated /etc/resolv.conf contents should include: options trust-ad I expect that needs some interface (or documented approach) in resolvconf. Thoughts?
