]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: bce4845) | patch
resolve: enable EDNS0 towards the 127.0.0.53 stub resolver
authorTore Anderson <tore@fud.no>
Mon, 17 Dec 2018 08:15:59 +0000 (09:15 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 17 Dec 2018 14:15:18 +0000 (15:15 +0100)
commit93158c77bc69fde7cf5cff733617631c1e566fe8
tree3d40b18526f404029ec0c2939c3dd976afa0e23btree | snapshot
parentbce48452b8ef751be96856d8ef253ee51267ffc7commit | diff
resolve: enable EDNS0 towards the 127.0.0.53 stub resolver

This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.

Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.
src/resolve/resolv.conf diff | blob | blame | history
src/resolve/resolved-resolv-conf.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.