diff options
| author | Tore Anderson <tore@fud.no> | 2018-12-17 09:15:59 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-12-17 15:15:18 +0100 |
| commit | 93158c77bc69fde7cf5cff733617631c1e566fe8 (patch) | |
| tree | 3d40b18526f404029ec0c2939c3dd976afa0e23b /src/resolve/resolved-resolv-conf.c | |
| parent | bce48452b8ef751be96856d8ef253ee51267ffc7 (diff) | |
| download | systemd-93158c77bc69fde7cf5cff733617631c1e566fe8.tar.gz | |
resolve: enable EDNS0 towards the 127.0.0.53 stub resolver
This appears to be necessary for client software to ensure the reponse data
is validated with DNSSEC. For example, `ssh -v -o VerifyHostKeyDNS=yes -o
StrictHostKeyChecking=yes redpilllinpro01.ring.nlnog.net` fails if EDNS0 is
not enabled. The debugging output reveals that the `SSHFP` records were
found in DNS, but were considered insecure.
Note that the patch intentionally does *not* enable EDNS0 in the
`/run/systemd/resolve/resolv.conf` file (the one that contains `nameserver`
entries for the upstream DNS servers), as it is impossible to know for
certain that all the upstream DNS servers handles EDNS0 correctly.
Diffstat (limited to 'src/resolve/resolved-resolv-conf.c')
| -rw-r--r-- | src/resolve/resolved-resolv-conf.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/resolve/resolved-resolv-conf.c b/src/resolve/resolved-resolv-conf.c index ad47d13d23..5fcd59d876 100644 --- a/src/resolve/resolved-resolv-conf.c +++ b/src/resolve/resolved-resolv-conf.c @@ -321,7 +321,8 @@ static int write_stub_resolv_conf_contents(FILE *f, OrderedSet *dns, OrderedSet "# See man:systemd-resolved.service(8) for details about the supported modes of\n" "# operation for /etc/resolv.conf.\n" "\n" - "nameserver 127.0.0.53\n", f); + "nameserver 127.0.0.53\n" + "options edns0\n", f); if (!ordered_set_isempty(domains)) write_resolv_conf_search(domains, f); |