Add support for RES_USE_DNSSEC

RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries.  The resolver is then supposed to set the AD bit in the reply
if it managed to validate the answer through DNSSEC.  Useful when the
application doesn't implement validation internally.  This scheme
assumes that the validating resolver is trusted and that the
communication channel between the validating resolver and and the client
is secure.

ok eric@ gilles@

1 files changed, 10 insertions, 3 deletions

diff --git a/lib/libc/asr/asr_utils.c b/lib/libc/asr/asr_utils.c
index 25d9f2da389..f700973ce2f 100644
--- a/lib/libc/asr/asr_utils.c
+++ b/lib/libc/asr/asr_utils.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: asr_utils.c,v 1.16 2017/02/19 12:02:30 jca Exp $	*/
+/*	$OpenBSD: asr_utils.c,v 1.17 2017/02/27 11:38:08 jca Exp $	*/
 /*
  * Copyright (c) 2009-2012	Eric Faurot	<eric@faurot.net>
  *
@@ -423,12 +423,19 @@ _asr_pack_query(struct asr_pack *p, uint16_t type, uint16_t class, const char *d
 }
 
 int
-_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz)
+_asr_pack_edns0(struct asr_pack *p, uint16_t pktsz, int dnssec_do)
 {
+	DPRINT("asr EDNS0 pktsz:%hu dnssec:%s\n", pktsz,
+	    dnssec_do ? "yes" : "no");
+
 	pack_dname(p, "");	/* root */
 	pack_u16(p, T_OPT);	/* OPT */
 	pack_u16(p, pktsz);	/* UDP payload size */
-	pack_u32(p, 0);		/* extended RCODE and flags */
+
+	/* extended RCODE and flags */
+	pack_u16(p, 0);
+	pack_u16(p, dnssec_do ? DNS_MESSAGEEXTFLAG_DO : 0);
+
 	pack_u16(p, 0);		/* RDATA len */
 
 	return (p->err) ? (-1) : (0);