diff options
author | Beniamino Galvani <bgalvani@redhat.com> | 2020-10-09 06:21:32 +0200 |
---|---|---|
committer | Beniamino Galvani <bgalvani@redhat.com> | 2020-10-09 16:28:41 +0200 |
commit | f91a8ef3327aebf665dc43100191802d90df5e92 (patch) | |
tree | 8ab7d85e54083f2728692778379d71a1e8099a85 | |
parent | 3093a0073b6f578da1a52ee6f44d666e1c254afd (diff) | |
download | NetworkManager-f91a8ef3327aebf665dc43100191802d90df5e92.tar.gz |
dns: add edns0 and trust-ad options when using local resolverbg/dns-stub-edns0
EDNS(0) is not enabled by default in glibc because the option has
interoperability issues with some DNS servers. dnsmasq and
systemd-resolved don't have such problems.
Enable the option automatically when using a local resolver so that
the data provided via EDNS(0) (e.g. SSH fingerprints or DNSSEC
information) is available to applications.
While at it, also enable 'trust-ad', as otherwise glibc (from version
2.31) strips the AD bit from responses [1].
systemd-resolved also adds both flags to resolv.conf when using the
stub resolver [2].
[1] https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=NEWS;h=12b239c1fbbe789114e59fed136efcdeecc5c9cd;hp=4e28dc473c844ef230e973fc8861bfbd4bc36b74;hb=446997ff1433d33452b81dfa9e626b8dccf101a4;hpb=4a2ab5843a5cc4a5db1b3b79916a520ea8b115dc
[2] https://github.com/systemd/systemd/blob/v246/src/resolve/resolved-resolv-conf.c#L310
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/233
https://bugzilla.redhat.com/show_bug.cgi?id=1878166
-rw-r--r-- | src/dns/nm-dns-manager.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/dns/nm-dns-manager.c b/src/dns/nm-dns-manager.c index 635e94f69f..545ac31958 100644 --- a/src/dns/nm-dns-manager.c +++ b/src/dns/nm-dns-manager.c @@ -1585,6 +1585,9 @@ plugin_skip:; */ if (caching) { const char *lladdr = "127.0.0.1"; + gboolean need_edns0; + gboolean need_trust; + guint len; if (NM_IS_DNS_SYSTEMD_RESOLVED(priv->plugin)) { /* systemd-resolved uses a different link-local address */ @@ -1594,6 +1597,19 @@ plugin_skip:; g_strfreev(nameservers); nameservers = g_new0(char *, 2); nameservers[0] = g_strdup(lladdr); + + need_edns0 = nm_utils_strv_find_first(options, -1, NM_SETTING_DNS_OPTION_EDNS0) < 0; + need_trust = nm_utils_strv_find_first(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD) < 0; + + if (need_edns0 || need_trust) { + len = options ? g_strv_length(options) : 0; + options = g_realloc(options, sizeof(char *) * (len + 3)); + if (need_edns0) + options[len++] = g_strdup(NM_SETTING_DNS_OPTION_EDNS0); + if (need_trust) + options[len++] = g_strdup(NM_SETTING_DNS_OPTION_TRUST_AD); + options[len] = NULL; + } } if (do_update) { |