resolve: enable EDNS0 towards the 127.0.0.53 stub resolver

This appears to be necessary for client software to ensure the reponse data is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is not enabled. The debugging output reveals that the `SSHFP` records were found in DNS, but were considered insecure. Note that the patch intentionally does *not* enable EDNS0 in the `/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver` entries for the upstream DNS servers), as it is impossible to know for certain that all the upstream DNS servers handles EDNS0 correctly.
author: Tore Anderson <tore@fud.no> 2018-12-17 09:15:59 +0100
committer: Lennart Poettering <lennart@poettering.net> 2018-12-17 15:15:18 +0100
commit: 93158c77bc69fde7cf5cff733617631c1e566fe8 (patch)
tree: 3d40b18526f404029ec0c2939c3dd976afa0e23b /src/resolve/resolv.conf
parent: bce48452b8ef751be96856d8ef253ee51267ffc7 (diff)
download: systemd-93158c77bc69fde7cf5cff733617631c1e566fe8.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/src/resolve/resolv.conf b/src/resolve/resolv.conf
index ffc460dbf2..c3079aca1d 100644
--- a/src/resolve/resolv.conf
+++ b/src/resolve/resolv.conf
@@ -15,3 +15,4 @@
 # operation for /etc/resolv.conf.
 
 nameserver 127.0.0.53
+options edns0
author	Tore Anderson <tore@fud.no>	2018-12-17 09:15:59 +0100
committer	Lennart Poettering <lennart@poettering.net>	2018-12-17 15:15:18 +0100
commit	93158c77bc69fde7cf5cff733617631c1e566fe8 (patch)
tree	3d40b18526f404029ec0c2939c3dd976afa0e23b /src/resolve/resolv.conf
parent	bce48452b8ef751be96856d8ef253ee51267ffc7 (diff)
download	systemd-93158c77bc69fde7cf5cff733617631c1e566fe8.tar.gz