net: silently ignore trust-ad option in /etc/resolv.conf and not to fallback to the cgo resolver

[mateusz834]

The /etc/resolv.conf file often includes: options edns0 trust-ad. Golang does not recognize either of those options, so it fallbacks to the cgo reoslver.
I think that trust-ad should be silently ignored. Golang does not use the ad flag anywhere, so it should be safe to silently ignore that option and not cause fallback to the cgo resolver.
Edit: edns0 option

[cherrymui]

cc @ianlancetaylor @neild

[DasSkelett]

This would make sense, Go doesn't have the ability to do DNSSEC validation, so there isn't any alternative to trusting the AD bit.

There is one difference in behavior for glibc with this option though: If it's set, glibc sets the AD bit in queries, otherwise it doesn't. Some DNS recursors might be configured to only do DNSSEC validation if the AD (or DO) bit is set, and otherwise return everything even if it's bogus. (see PowerDNS docs: dnssec=process)
So in theory this could lead to Go receiving bogus data while it would've been filtered for the CGO resolver.
In practice however I think this recursor behavior is getting rare, most of them are configured to always validate DNSSEC (regardless of AD/DO bit) nowadays.

[mateusz834]

Didn't know about that behavior, but it might make sense to follow the glibc implementation, and add the AD flag to queries when trust-ad is present.

[mateusz834]

Thanks for including that link to the PowerDNS docs. It is even the default behavior of PowerDNS since 4.5.0.
It can still affect programs when trust-ad is set and the go resolver is forced (via GODEBUG env), compiled statically without CGO or using the netgo flag.
I don't know if forcing the go resolver is common, but someone might be doing it.

[gopherbot]

Change https://go.dev/cl/408654 mentions this issue: dns/dnsmessage: add AD flag support

[gopherbot]

Change https://go.dev/cl/428955 mentions this issue: net: set AD bit in DNS queries when trust-ad in resolv.conf

[gopherbot]

Change https://go.dev/cl/451420 mentions this issue: doc/go1.20: add release notes for net package