Today, applications that want to be sure DNS responses have been DNSSEC-validated can use RES_USE_DNSSEC to set +DO on the query, and check the response for a set +AD flag. However, this relies on badly specified behaviour (RFC 6840, 5.7/5.8). Given that such applications are not actually processing the signatures themselves, setting +AD on the query would be more efficient, as this signals a resolver to do validation but to not pass the signatures on. Incidentally, using +AD instead of +DO might improve interoperability with implementations that have differing readings of the relevant sections of RFC 6840 (like PowerDNS Recursor 4.0.0, although it is likely we will change this to accomodate glibc users). In short: please allow setting of +AD like you allow setting +DO (via RES_USE_DNSSEC) today, for improved performance and interoperability.
Related wiki page: https://sourceware.org/glibc/wiki/DNSSEC
Patch posted: https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/461
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=446997ff1433d33452b81dfa9e626b8dccf101a4 commit 446997ff1433d33452b81dfa9e626b8dccf101a4 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Oct 30 17:26:58 2019 +0100 resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358] This introduces a concept of trusted name servers, for which the AD bit is passed through to applications. For untrusted name servers (the default), the AD bit in responses are cleared, to provide a safe default. This approach is very similar to the one suggested by Pavel Šimerda in <https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15>. The DNS test framework in support/ is enhanced with support for setting the AD bit in responses. Tested on x86_64-linux-gnu. Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc
Fixed for glibc 2.31.