Am 16.09.2014 um 00:55 schrieb Stuart Henderson:
> On 2014-09-15, Marco Prause <[email protected]> wrote:
>> Looking at lib/libc/net/res_query.c
>
> Try libc/asr/res_query.c ..
Thanks for the hint - I'd have a look at, but sadly it doesn't help me
understanding, what's going on.
Having a look at postfix-src I found a notice at
/usr/ports/distfiles/postfix/postfix-2.11.0/srcdns/dns_lookup.c
that says
...
/* .IP RES_USE_DNSSEC
/* Request DNSSEC validation. This flag is silently ignored
/* when the system stub resolver API, resolver(3), does not
/* implement DNSSEC.
...
so far so good, but man resolver 3 looks also good to me :
...
RES_USE_EDNS0 Attach an OPT pseudo-RR for the EDNS0 extension, as
specified in RFC 2671. This informs DNS servers of a
client's receive buffer size, allowing them to take
advantage of a non-default receive buffer size, and thus
to send larger replies. DNS query packets with the EDNS0
extension are not compatible with non-EDNS0 DNS servers.
RES_USE_DNSSEC Request that the resolver uses Domain Name System
Security Extensions (DNSSEC), as defined in RFCs 4033,
4034, and 4035.
...
in include/resolv.h I also find global definitions for both :
...
#define RES_USE_EDNS0 0x40000000 /* use EDNS0 */
/* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
#define RES_USE_DNSSEC 0x20000000 /* use DNSSEC using OK bit in OPT */
...
but I can't see it anywhere beeing used at the query-parts at
getrrsetbyname.c, res_mkquery.c, res_query.c - they are mentioned only
at the responses, but in my opinion the DO-bit also have to be set in
the query, to signal the usage of DNSSEC and this is, what I didn't see
sniffing on the outgoing interface.
Regards,
Marco
