From mikaela at mikaela.info Fri Jan 15 08:03:57 2016 From: mikaela at mikaela.info (Mikaela Suomalainen) Date: Fri, 15 Jan 2016 10:03:57 +0200 Subject: [Dnssec-trigger] edns0 between local apps and Unbound Message-ID: <20160115100357.458423c5@sedric> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, - From what I have understood Unbound has edns0 enabled by default and only disables it if the upstream nameserver doesn't support it. However I think it's disabled between local apps (this is probably wrong way to say it, but I hope you understand) and Unbound, because there is no "options edns0" in /etc/resolv.conf and user cannot enable it manually as dnssec-trigger overwrites it and even does chattr -/+i by itself. I think it being disabled could break DNSSEC validation for some apps that do it by themselves, e.g. ssh (when verifying SSHFP records on DNSSEC-signed zone). man resolv.conf says: ``` options Options allows certain internal resolver variables to be modi? fied. The syntax is options option ... where option is one of the following: edns0 (since glibc 2.6) Sets RES_USE_EDNSO in _res.options. This enables support for the DNS extensions described in RFC 2671. ``` I originally reported this at Launchpad against the Ubuntu package , but I think this should be fixed upstream if this is an issue (and I think it is). PS. Sorry if I am wrong about this, but please let me know. - -- Mikaela Suomalainen https://mikaela.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Homepage: https://mikaela.info/ Comment: Fingerprint = 2910 4A46 C561 5BF9 78A0 83F2 0C20 7F07 B2F3 2B67 iQIcBAEBCgAGBQJWmKftAAoJEAwgfwey8ytnwGUP/0lIwXLJ8yqqfRvxqicdTC05 hdeLL3aHvmQsOG33yWOhtq2yw/nYfuuxfg5/BGtkDMm//Q6djwCKfJ+AMt/VoGBY WmJSplcRjXAY3lCWYb6rxHm3a/XsRY33Q+K2BO/WamL6thJQBzIqeR4NwDmwGBX/ 9ttulJnCYCoqJlnFVXKp8Q62HOpLrj1pajB5E0rqflEQ8T/J7H67dZx0GkDMxEEE lh2lzBM22GKJxLAanFag94ZtYJZKFzcMrstu8nlF612ODVIVc+DgDAX5TnmbcaG7 YanKvkdaVc/OueDAu/yQYM5JaKq0f/PDFXkwo7tK6BrhqMWNekB76W0AlFxMV8dw PkXLHTFgBPoMJuCSYbLsuNkof87Ju6FckeRbxXbPK35DXdxz2bDYsgb4QE4WdxDm Xe4fdj0WxydZBE+NoQLxSzzMVHSlxF+iHtTdieowZzSSQzX+SNfJf34wA0KMEFla kf8bfxpY/XpelPG2NY7W7XyVw6EUTlCtov3yLWtFBTnFdOA4SfuRsN8n9bo3bg7V ngKICLAv/OApK9Se/xCS43UnOqBhGH69gynN+BZsJ5P03DvXyTAozVSb1h7L1TwC IpUsmjgy/6s38a4D1PcEFaIwACSYrXkz0o3t6zIAUMItPSqabj+DP//AkIt903Z6 Yu86rSAHaviWAQj1746k =oFM1 -----END PGP SIGNATURE----- From paul at nohats.ca Fri Jan 15 15:03:17 2016 From: paul at nohats.ca (Paul Wouters) Date: Fri, 15 Jan 2016 10:03:17 -0500 (EST) Subject: [Dnssec-trigger] edns0 between local apps and Unbound In-Reply-To: <20160115100357.458423c5@sedric> References: <20160115100357.458423c5@sedric> Message-ID: On Fri, 15 Jan 2016, Mikaela Suomalainen wrote: > - From what I have understood Unbound has edns0 enabled by default and > only disables it if the upstream nameserver doesn't support it. > > However I think it's disabled between local apps (this is probably > wrong way to say it, but I hope you understand) and Unbound, because > there is no "options edns0" in /etc/resolv.conf and user cannot enable > it manually as dnssec-trigger overwrites it and even does chattr -/+i > by itself. That option is at most for glibc. Any other application using a dns library should not be making decisions based on those options in resolv.conf. > I think it being disabled could break DNSSEC validation for some apps > that do it by themselves, e.g. ssh (when verifying SSHFP records on > DNSSEC-signed zone). ssh is supposed to check the DO bit, so those queries have to use EDNS0. I don't think dnssec-trigger should change resolv.conf options, other then the "nameserver" entries. Paul