Enable EDNS(0) when using local caching resolvers
When NetworkManager is configured up to use a local caching resolver (
dns=unbound), EDNS(0) should be enabled by adding
options edns0 to the generated
EDNS(0) is not enabled by default by
libnss_dns, as some broken DNS server implementations (embedded in home gateways and so on) can have problems with it. However, the local caching resolvers supported by NM are known to have no such issues.
Enabling EDNS(0) has benefits. For example, it allows applications that are interested in knowing whether or not a response is valid according to DNSSEC.
In particular, OpenSSH requires EDNS(0) for verification of
SSHFP host key fingerprint records. Without EDNS(0), it will consider any fingerprints found in DNS to be insecure and interactively prompt the user for confirmation (this can be tested with
ssh -v -o VerifyHostKeyDNS=yes redpilllinpro01.ring.nlnog.net).
It's worth noting that EDNS(0) is enabled in
resolv.conf files since v240 (commit).