diff options
author | Tore Anderson <tore@fud.no> | 2018-12-17 09:15:59 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2018-12-17 15:15:18 +0100 |
commit | 93158c77bc69fde7cf5cff733617631c1e566fe8 (patch) | |
tree | 3d40b18526f404029ec0c2939c3dd976afa0e23b /src/resolve/resolv.conf | |
parent | bce48452b8ef751be96856d8ef253ee51267ffc7 (diff) | |
download | systemd-93158c77bc69fde7cf5cff733617631c1e566fe8.tar.gz |
resolve: enable EDNS0 towards the 127.0.0.53 stub resolver
This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.
Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.
Diffstat (limited to 'src/resolve/resolv.conf')
-rw-r--r-- | src/resolve/resolv.conf | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/resolve/resolv.conf b/src/resolve/resolv.conf index ffc460dbf2..c3079aca1d 100644 --- a/src/resolve/resolv.conf +++ b/src/resolve/resolv.conf @@ -15,3 +15,4 @@ # operation for /etc/resolv.conf. nameserver 127.0.0.53 +options edns0 |