LDP
/
man-pages
mirror of https://github.com/mkerrisk/man-pages
0
1
Fork 0
Code Releases Activity

resolv.5: Document the trust-ad option 

Signed-off-by: Florian Weimer <fweimer@redhat.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Florian Weimer 2020-10-12 13:22:29 +02:00 committed by Michael Kerrisk
parent 92e4056a29
commit a3f91ca97b
1 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
man5/resolv.conf.5
View File

@ -35,9 +35,10 @@ The resolver configuration file contains information that is read
by the resolver routines the first time they are invoked by a process.
The file is designed to be human readable and contains a list of
keywords with values that provide various types of resolver information.
The configuration file is considered a trusted source of DNS information
(e.g., DNSSEC AD-bit information will be returned unmodified from this
source).
The configuration file is considered a trusted source of DNS information;
see the
.B trust-ad
option below for details.
.PP
If this file does not exist, only the name server on the local machine
will be queried, and the search list contains the local domain name
@ -317,6 +318,30 @@ Sets
in
.IR _res.options .
This option disables automatic reloading of a changed configuration file.
.TP
.BR trust\-ad " (since glibc 2.31)"
.\" 446997ff1433d33452b81dfa9e626b8dccf101a4
Sets
.BR RES_TRUSTAD
in
.IR _res.options .
This option controls the AD bit behavior of the stub resolver. If a
validating resolver sets the AD bit in a response, it indicates that
the data in the response was verified according to the DNSSEC
protocol. In order to rely on the AD bit, the local system has to
trust both the DNSSEC-validating resolver and the network path to it,
which is why an explicit opt-in is required. If the
.B trust\-ad
option is active, the stub resolver sets the AD bit in outgoing DNS
queries (to enable AD bit support), and preserves the AD bit in
responses. Without this option, the AD bit is not set in queries, and
it is always removed from responses before they are returned to the
application. This means that applications can trust the AD bit in
responses if the
.B trust\-ad
option has been set correctly. In glibc version 2.30 and earlier, the
AD is not set automatically in queries, and passed through unchanged
to applications in responses.
.RE
.PP
The \fIsearch\fP keyword of a system's \fIresolv.conf\fP file can be