GitLab

When NetworkManager is configured up to use a local caching resolver (dns=dnsmasq, dns=systemd-resolved or dns=unbound), EDNS(0) should be enabled by adding options edns0 to the generated /etc/resolv.conf file.

EDNS(0) is not enabled by default by libnss_dns, as some broken DNS server implementations (embedded in home gateways and so on) can have problems with it. However, the local caching resolvers supported by NM are known to have no such issues.

Enabling EDNS(0) has benefits. For example, it allows applications that are interested in knowing whether or not a response is valid according to DNSSEC.

In particular, OpenSSH requires EDNS(0) for verification of SSHFP host key fingerprint records. Without EDNS(0), it will consider any fingerprints found in DNS to be insecure and interactively prompt the user for confirmation (this can be tested with ssh -v -o VerifyHostKeyDNS=yes redpilllinpro01.ring.nlnog.net).

It's worth noting that EDNS(0) is enabled in systemd-resolved's stub resolv.conf files since v240 (commit).