Enable EDNS(0) when using local caching resolvers
When NetworkManager is configured up to use a local caching resolver (dns=dnsmasq
, dns=systemd-resolved
or dns=unbound
), EDNS(0) should be enabled by adding options edns0
to the generated /etc/resolv.conf
file.
EDNS(0) is not enabled by default by libnss_dns
, as some broken DNS server implementations (embedded in home gateways and so on) can have problems with it. However, the local caching resolvers supported by NM are known to have no such issues.
Enabling EDNS(0) has benefits. For example, it allows applications that are interested in knowing whether or not a response is valid according to DNSSEC.
In particular, OpenSSH requires EDNS(0) for verification of SSHFP
host key fingerprint records. Without EDNS(0), it will consider any fingerprints found in DNS to be insecure and interactively prompt the user for confirmation (this can be tested with ssh -v -o VerifyHostKeyDNS=yes redpilllinpro01.ring.nlnog.net
).
It's worth noting that EDNS(0) is enabled in systemd-resolved
's stub resolv.conf
files since v240 (commit).