resolv: Implement trust-ad option for /etc/resolv.conf [BZ #20358]

This introduces a concept of trusted name servers, for which the
AD bit is passed through to applications.  For untrusted name
servers (the default), the AD bit in responses are cleared, to
provide a safe default.

This approach is very similar to the one suggested by Pavel Šimerda
in <https://bugzilla.redhat.com/show_bug.cgi?id=1164339#c15>.

The DNS test framework in support/ is enhanced with support for
setting the AD bit in responses.

Tested on x86_64-linux-gnu.

Change-Id: Ibfe0f7c73ea221c35979842c5c3b6ed486495ccc

1 files changed, 2 insertions, 0 deletions

diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
index cf0c9e2..0d39353 100644
--- a/resolv/res_mkquery.c
+++ b/resolv/res_mkquery.c
@@ -118,6 +118,8 @@ __res_context_mkquery (struct resolv_context *ctx, int op, const char *dname,
      the application does multiple requests.  */
   hp->id = random_bits ();
   hp->opcode = op;
+  if (ctx->resp->options & RES_TRUSTAD)
+    hp->ad = 1;
   hp->rd = (ctx->resp->options & RES_RECURSE) != 0;
   hp->rcode = NOERROR;
   cp = buf + HFIXEDSZ;