From: Tore Anderson Date: Mon, 17 Dec 2018 08:15:59 +0000 (+0100) Subject: resolve: enable EDNS0 towards the 127.0.0.53 stub resolver X-Git-Tag: v240~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93158c77bc69fde7cf5cff733617631c1e566fe8;p=thirdparty%2Fsystemd.git resolve: enable EDNS0 towards the 127.0.0.53 stub resolver This appears to be necessary for client software to ensure the reponse data is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is not enabled. The debugging output reveals that the `SSHFP` records were found in DNS, but were considered insecure. Note that the patch intentionally does *not* enable EDNS0 in the `/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver` entries for the upstream DNS servers), as it is impossible to know for certain that all the upstream DNS servers handles EDNS0 correctly. --- diff --git a/src/resolve/resolv.conf b/src/resolve/resolv.conf index ffc460dbf29..c3079aca1d4 100644 --- a/src/resolve/resolv.conf +++ b/src/resolve/resolv.conf @@ -15,3 +15,4 @@ # operation for /etc/resolv.conf. nameserver 127.0.0.53 +options edns0 diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c index ad47d13d238..5fcd59d8767 100644 --- a/src/resolve/resolved-resolv-conf.c +++ b/src/resolve/resolved-resolv-conf.c @@ -321,7 +321,8 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet "# See man:systemd-resolved.service(8) for details about the supported modes of\n" "# operation for /etc/resolv.conf.\n" "\n" - "nameserver 127.0.0.53\n", f); + "nameserver 127.0.0.53\n" + "options edns0\n", f); if (!ordered_set_isempty(domains)) write_resolv_conf_search(domains, f);