resolve: enable EDNS0 towards the 127.0.0.53 stub resolver

This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.

Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.

diff --git a/src/resolve/resolv.conf b/src/resolve/resolv.conf
index ffc460dbf298a61660cdaee6ed84fcd527fa3c8e..c3079aca1d4279a573ff265931e5447e51248f65 100644 (file)
--- a/src/resolve/resolv.conf
+++ b/src/resolve/resolv.conf
@@ -15,3 +15,4 @@
 # operation for /etc/resolv.conf.
 
 nameserver 127.0.0.53
+options edns0

diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c
index ad47d13d238891f452bed617975bb3cd997e5f57..5fcd59d8767ab01b6be3ca5b608b85d2f385774e 100644 (file)
--- a/src/resolve/resolved-resolv-conf.c
+++ b/src/resolve/resolved-resolv-conf.c
@@ -321,7 +321,8 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet
                        "# See man:systemd-resolved.service(8) for details about the supported modes of\n"
                        "# operation for /etc/resolv.conf.\n"
                        "\n"
-                       "nameserver 127.0.0.53\n", f);
+                       "nameserver 127.0.0.53\n"
+                       "options edns0\n", f);
 
         if (!ordered_set_isempty(domains))
                 write_resolv_conf_search(domains, f);