- Make it possible to turn on RES_INSECURE[12] with /etc/resolv.conf.

- Don't connect datagram socket if RES_INSECURE1.
- Needed to implement IPv6 anycast UDP DNS queries as documented in
  <draft-ietf-ipngwg-dns-discovery-03.txt>.

Obtained from:	KAME

2 files changed, 13 insertions, 1 deletions

diff --git a/lib/libc/net/res_init.c b/lib/libc/net/res_init.c
index 2d25677..ce74928 100644
--- a/lib/libc/net/res_init.c
+++ b/lib/libc/net/res_init.c
@@ -533,6 +533,10 @@ res_setoptions(options, source)
 #endif
 		} else if (!strncmp(cp, "inet6", sizeof("inet6") - 1)) {
 			_res.options |= RES_USE_INET6;
+		} else if (!strncmp(cp, "insecure1", sizeof("insecure1") - 1)) {
+		       _res.options |= RES_INSECURE1;
+		} else if (!strncmp(cp, "insecure2", sizeof("insecure2") - 1)) {
+		       _res.options |= RES_INSECURE2;
 		} else if (!strncmp(cp, "no_tld_query", sizeof("no_tld_query") - 1)) {
 			_res.options |= RES_NOTLDQUERY;
 		} else if (!strncmp(cp, "edns0", sizeof("edns0") - 1)) {
diff --git a/lib/libc/net/res_send.c b/lib/libc/net/res_send.c
index e56b91f..1155ba2 100644
--- a/lib/libc/net/res_send.c
+++ b/lib/libc/net/res_send.c
@@ -635,8 +635,16 @@ read_len:
 			 * however, we don't want to remain connected,
 			 * as we wish to receive answers from the first
 			 * server to respond.
+			 *
+			 * When the option "insecure1" is specified, we'd
+			 * rather expect to see responses from an "unknown"
+			 * address.  In order to let the kernel accept such
+			 * responses, do not connect the socket here.
+			 * XXX: or do we need an explicit option to disable
+			 * connecting?
 			 */
-			if (_res.nscount == 1 || (try == 0 && ns == 0)) {
+			if (!(_res.options & RES_INSECURE1) &&
+			    (_res.nscount == 1 || (try == 0 && ns == 0))) {
 				/*
 				 * Connect only if we are sure we won't
 				 * receive a response from another server.