[Dnssec-trigger] edns0 between local apps and Unbound

Paul Wouters paul at nohats.ca
Fri Jan 15 15:03:17 UTC 2016

On Fri, 15 Jan 2016, Mikaela Suomalainen wrote:

> - From what I have understood Unbound has edns0 enabled by default and
> only disables it if the upstream nameserver doesn't support it.
> However I think it's disabled between local apps (this is probably
> wrong way to say it, but I hope you understand) and Unbound, because
> there is no "options edns0" in /etc/resolv.conf and user cannot enable
> it manually as dnssec-trigger overwrites it and even does chattr -/+i
> by itself.

That option is at most for glibc. Any other application using a dns
library should not be making decisions based on those options in

> I think it being disabled could break DNSSEC validation for some apps
> that do it by themselves, e.g. ssh (when verifying SSHFP records on
> DNSSEC-signed zone).

ssh is supposed to check the DO bit, so those queries have to use EDNS0.

I don't think dnssec-trigger should change resolv.conf options, other
then the "nameserver" entries.


More information about the dnssec-trigger mailing list