Document that "localhost" only resolves to the loopback addresses.
prodding pb
OK phessler, sthen
Input & OK jmc

nameserver->name server, as the rest of the file does;

Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set whe

Implement rfc6840 (AD flag processing) if using trusted name servers

libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".

AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.

RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.

ok florian@ phessler@

show more ...

We no longer have resolv.conf.tail.
From Scott Bennett, thanks!

Don't document systems which rewrite/change resolv.conf. Those systems can
document their actions in their own manual pages.
ok kn

Make it clearer that "options inet6" does nothing on OpenBSD

The previous wording could imply that "options inet6" did set
RES_USE_INET6 on OpenBSD but that RES_USE_INET6 had no effect.
The truth is

Make it clearer that "options inet6" does nothing on OpenBSD

The previous wording could imply that "options inet6" did set
RES_USE_INET6 on OpenBSD but that RES_USE_INET6 had no effect.
The truth is, "options inet6" isn't recognized by libc/asr, but
RES_USE_INET6 has an effect on OpenBSD.

So first state that "options inet6" does nothing on our system, then
describe concisely what it used to do/what it does on other systems.

Prompted by a diff from solene@, claudio@ insisted that we keep
dcumenting this option. ok eric@ deraadt@ solene@

show more ...

re{move,bound,ference}

about time unwind got a namecheck;

mop up resolver.3 rename; ok deraadt

We do support "options edns0"; ok jca@

zap a dot;

Xr rebound; ok jmc@

Bring the dhclient(8) related text into
line with reality. More polishing sure
to follow.

ok beck@

Add EDNS0 support.

EDNS allows for various DNS extensions, among which UDP DNS packets size
bigger than 512 bytes. The default is still to not advertize anything.

ok eric@

in resolver(3), document that _EDNS0 and _DNSSEC are no ops;
diff from kirill miazine

while here, bump all the no op texts to one standard blurb;
help/ok jca

* Properly distinguish commands (.Ic) and command modifiers (.Cm).
* Consistently use .Nm for the page name, do not oscillate to .Pa.

max name servers is currently 5, not 3, apparently;
from remi locherer

Remove support for "lookup yp" in /etc/resolv.conf. This historical
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns acces

Remove support for "lookup yp" in /etc/resolv.conf. This historical
wart is incompatible with pledge, because suddenly a "dns" operation
needs "getpw" access to ypbind/ypserv, etc. file + dns access is
enough for everyone, sorry if you were using that old SunOS 4.x style
mechanism, but it is now gone.
ok semarie millert florian

show more ...

Remove support for [addr]:port syntax from the "nameserver" line.
This extension never made it to other systems. (pledge is also happy
with this. The idea of DNS @ any port collides with pledge enc

Remove support for [addr]:port syntax from the "nameserver" line.
This extension never made it to other systems. (pledge is also happy
with this. The idea of DNS @ any port collides with pledge encouraring
differentiation between DNS and non-DNS sockets)
ok phessler jung sthen kettenis

show more ...

edns0 is not currently supported: confirmed by sthen and eric

diff From: Mike Burns
(though my fix differs a bit)

unbind;

merge the relevant bits of dhcp(8) into dhclient(8) and dhcpd(8),
removing traces of dhcp(8)... i'm about to remove that file, since
it's essentially useless. holding off for a little, in case my com

merge the relevant bits of dhcp(8) into dhclient(8) and dhcpd(8),
removing traces of dhcp(8)... i'm about to remove that file, since
it's essentially useless. holding off for a little, in case my commit
is greeted with howls.

help/ok krw

show more ...

some small simplifications;

when only one "family" argument is given, only that family is tried;
confirmed by pyr

document that resolv.conf is now not unconditionally overwritten;
text/ok krw