Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC

[Florian Weimer <fw@deneb.enyo.de>]

* Matthew Grant:

> From my investigations this can only be enabled by recompiling each bit
> of software to set the RES_USE_DNSSEC flag in _res.options, as well as
> RES_USE_EDNS0. (Please see racoon bug #679483).  The enablement method
> is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c 

This does not actually activate DNSSEC, it just tells the recursive
resolver that the application is able to process DNSSEC records.  The
application would still have to validate them.

Applications should never need to set the RES_USE_DNSSEC flag because
it does not make sense to treat DNSSEC-signed data differently from
unsigned data.

> Please create a resolv.conf flag so that RES_USE_DNSSEC is available
> to the systems administrator, and maybe a debconf screen to select it.

This alone wouldn't make any difference to the spoofing problem.

libc is not the correct place to put DNSSEC validation because many
processes are shortlived and would have to fetch all key material and
signatures from DNS, beginning at the root.  This would turn a single
name resolution into six or more DNS queries, which is excessive.

At this stage, you should run a BIND or Unbound process restricted to
localhost which performs the validation.  This validation will happen
even for applications which do not set the RES_USE_DNSSEC flag.