dns: add edns0 and trust-ad options when using local resolver

EDNS(0) is not enabled by default in glibc because the option has
interoperability issues with some DNS servers. dnsmasq and
systemd-resolved don't have such problems.

Enable the option automatically when using a local resolver so that
the data provided via EDNS(0) (e.g. SSH fingerprints or DNSSEC
information) is available to applications.

While at it, also enable 'trust-ad', as otherwise glibc (from version
2.31) strips the AD bit from responses [1].

systemd-resolved also adds both flags to resolv.conf when using the
stub resolver [2].

[1] https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=NEWS;h=12b239c1fbbe789114e59fed136efcdeecc5c9cd;hp=4e28dc473c844ef230e973fc8861bfbd4bc36b74;hb=446997ff1433d33452b81dfa9e626b8dccf101a4;hpb=4a2ab5843a5cc4a5db1b3b79916a520ea8b115dc
[2] https://github.com/systemd/systemd/blob/v246/src/resolve/resolved-resolv-conf.c#L310

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/233
https://bugzilla.redhat.com/show_bug.cgi?id=1878166
This commit is contained in:
Beniamino Galvani
2020-10-09 06:21:32 +02:00
parent 3093a0073b
commit f91a8ef332

View File

@@ -1585,6 +1585,9 @@ plugin_skip:;
*/
if (caching) {
const char *lladdr = "127.0.0.1";
gboolean need_edns0;
gboolean need_trust;
guint len;
if (NM_IS_DNS_SYSTEMD_RESOLVED(priv->plugin)) {
/* systemd-resolved uses a different link-local address */
@@ -1594,6 +1597,19 @@ plugin_skip:;
g_strfreev(nameservers);
nameservers = g_new0(char *, 2);
nameservers[0] = g_strdup(lladdr);
need_edns0 = nm_utils_strv_find_first(options, -1, NM_SETTING_DNS_OPTION_EDNS0) < 0;
need_trust = nm_utils_strv_find_first(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD) < 0;
if (need_edns0 || need_trust) {
len = options ? g_strv_length(options) : 0;
options = g_realloc(options, sizeof(char *) * (len + 3));
if (need_edns0)
options[len++] = g_strdup(NM_SETTING_DNS_OPTION_EDNS0);
if (need_trust)
options[len++] = g_strdup(NM_SETTING_DNS_OPTION_TRUST_AD);
options[len] = NULL;
}
}
if (do_update) {