From mikaela at mikaela.info  Fri Jan 15 08:03:57 2016
From: mikaela at mikaela.info (Mikaela Suomalainen)
Date: Fri, 15 Jan 2016 10:03:57 +0200
Subject: [Dnssec-trigger] edns0 between local apps and Unbound
Message-ID: <20160115100357.458423c5@sedric>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

- From what I have understood Unbound has edns0 enabled by default and
only disables it if the upstream nameserver doesn't support it.

However I think it's disabled between local apps (this is probably
wrong way to say it, but I hope you understand) and Unbound, because
there is no "options edns0" in /etc/resolv.conf and user cannot enable
it manually as dnssec-trigger overwrites it and even does chattr -/+i
by itself.

I think it being disabled could break DNSSEC validation for some apps
that do it by themselves, e.g. ssh (when verifying SSHFP records on
DNSSEC-signed zone).

man resolv.conf says:

```
options
Options allows certain internal resolver variables to
be  modi? fied.  The syntax is

options option ...

where option is one of the following:

<snip>

edns0 (since glibc 2.6)
Sets RES_USE_EDNSO in _res.options.  This enables
support for the DNS extensions described in RFC 2671.
```

I originally reported this at Launchpad against the Ubuntu package
<https://pad.lv/1534107>, but I think this should be fixed upstream if
this is an issue (and I think it is).

PS. Sorry if I am wrong about this, but please let me know.

- -- 
Mikaela Suomalainen
https://mikaela.info/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Homepage: https://mikaela.info/
Comment: Fingerprint = 2910 4A46 C561 5BF9 78A0 83F2 0C20 7F07 B2F3 2B67

iQIcBAEBCgAGBQJWmKftAAoJEAwgfwey8ytnwGUP/0lIwXLJ8yqqfRvxqicdTC05
hdeLL3aHvmQsOG33yWOhtq2yw/nYfuuxfg5/BGtkDMm//Q6djwCKfJ+AMt/VoGBY
WmJSplcRjXAY3lCWYb6rxHm3a/XsRY33Q+K2BO/WamL6thJQBzIqeR4NwDmwGBX/
9ttulJnCYCoqJlnFVXKp8Q62HOpLrj1pajB5E0rqflEQ8T/J7H67dZx0GkDMxEEE
lh2lzBM22GKJxLAanFag94ZtYJZKFzcMrstu8nlF612ODVIVc+DgDAX5TnmbcaG7
YanKvkdaVc/OueDAu/yQYM5JaKq0f/PDFXkwo7tK6BrhqMWNekB76W0AlFxMV8dw
PkXLHTFgBPoMJuCSYbLsuNkof87Ju6FckeRbxXbPK35DXdxz2bDYsgb4QE4WdxDm
Xe4fdj0WxydZBE+NoQLxSzzMVHSlxF+iHtTdieowZzSSQzX+SNfJf34wA0KMEFla
kf8bfxpY/XpelPG2NY7W7XyVw6EUTlCtov3yLWtFBTnFdOA4SfuRsN8n9bo3bg7V
ngKICLAv/OApK9Se/xCS43UnOqBhGH69gynN+BZsJ5P03DvXyTAozVSb1h7L1TwC
IpUsmjgy/6s38a4D1PcEFaIwACSYrXkz0o3t6zIAUMItPSqabj+DP//AkIt903Z6
Yu86rSAHaviWAQj1746k
=oFM1
-----END PGP SIGNATURE-----

From paul at nohats.ca  Fri Jan 15 15:03:17 2016
From: paul at nohats.ca (Paul Wouters)
Date: Fri, 15 Jan 2016 10:03:17 -0500 (EST)
Subject: [Dnssec-trigger] edns0 between local apps and Unbound
In-Reply-To: <20160115100357.458423c5@sedric>
References: <20160115100357.458423c5@sedric>
Message-ID: <alpine.LFD.2.20.1601151001250.7527@bofh.nohats.ca>

On Fri, 15 Jan 2016, Mikaela Suomalainen wrote:

> - From what I have understood Unbound has edns0 enabled by default and
> only disables it if the upstream nameserver doesn't support it.
>
> However I think it's disabled between local apps (this is probably
> wrong way to say it, but I hope you understand) and Unbound, because
> there is no "options edns0" in /etc/resolv.conf and user cannot enable
> it manually as dnssec-trigger overwrites it and even does chattr -/+i
> by itself.

That option is at most for glibc. Any other application using a dns
library should not be making decisions based on those options in
resolv.conf.

> I think it being disabled could break DNSSEC validation for some apps
> that do it by themselves, e.g. ssh (when verifying SSHFP records on
> DNSSEC-signed zone).

ssh is supposed to check the DO bit, so those queries have to use EDNS0.

I don't think dnssec-trigger should change resolv.conf options, other
then the "nameserver" entries.

Paul