[Dnssec-trigger] edns0 between local apps and Unbound
Paul Wouters
paul at nohats.ca
Fri Jan 15 15:03:17 UTC 2016
On Fri, 15 Jan 2016, Mikaela Suomalainen wrote:
> - From what I have understood Unbound has edns0 enabled by default and
> only disables it if the upstream nameserver doesn't support it.
>
> However I think it's disabled between local apps (this is probably
> wrong way to say it, but I hope you understand) and Unbound, because
> there is no "options edns0" in /etc/resolv.conf and user cannot enable
> it manually as dnssec-trigger overwrites it and even does chattr -/+i
> by itself.
That option is at most for glibc. Any other application using a dns
library should not be making decisions based on those options in
resolv.conf.
> I think it being disabled could break DNSSEC validation for some apps
> that do it by themselves, e.g. ssh (when verifying SSHFP records on
> DNSSEC-signed zone).
ssh is supposed to check the DO bit, so those queries have to use EDNS0.
I don't think dnssec-trigger should change resolv.conf options, other
then the "nameserver" entries.
Paul
More information about the dnssec-trigger
mailing list