-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
- From what I have understood Unbound has edns0 enabled by default and only disables it if the upstream nameserver doesn't support it. However I think it's disabled between local apps (this is probably wrong way to say it, but I hope you understand) and Unbound, because there is no "options edns0" in /etc/resolv.conf and user cannot enable it manually as dnssec-trigger overwrites it and even does chattr -/+i by itself. I think it being disabled could break DNSSEC validation for some apps that do it by themselves, e.g. ssh (when verifying SSHFP records on DNSSEC-signed zone). man resolv.conf says: ``` options Options allows certain internal resolver variables to be modi‐ fied. The syntax is options option ... where option is one of the following: <snip> edns0 (since glibc 2.6) Sets RES_USE_EDNSO in _res.options. This enables support for the DNS extensions described in RFC 2671. ``` I originally reported this at Launchpad against the Ubuntu package <https://pad.lv/1534107>, but I think this should be fixed upstream if this is an issue (and I think it is). PS. Sorry if I am wrong about this, but please let me know. - -- Mikaela Suomalainen https://mikaela.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Homepage: https://mikaela.info/ Comment: Fingerprint = 2910 4A46 C561 5BF9 78A0 83F2 0C20 7F07 B2F3 2B67 iQIcBAEBCgAGBQJWmKftAAoJEAwgfwey8ytnwGUP/0lIwXLJ8yqqfRvxqicdTC05 hdeLL3aHvmQsOG33yWOhtq2yw/nYfuuxfg5/BGtkDMm//Q6djwCKfJ+AMt/VoGBY WmJSplcRjXAY3lCWYb6rxHm3a/XsRY33Q+K2BO/WamL6thJQBzIqeR4NwDmwGBX/ 9ttulJnCYCoqJlnFVXKp8Q62HOpLrj1pajB5E0rqflEQ8T/J7H67dZx0GkDMxEEE lh2lzBM22GKJxLAanFag94ZtYJZKFzcMrstu8nlF612ODVIVc+DgDAX5TnmbcaG7 YanKvkdaVc/OueDAu/yQYM5JaKq0f/PDFXkwo7tK6BrhqMWNekB76W0AlFxMV8dw PkXLHTFgBPoMJuCSYbLsuNkof87Ju6FckeRbxXbPK35DXdxz2bDYsgb4QE4WdxDm Xe4fdj0WxydZBE+NoQLxSzzMVHSlxF+iHtTdieowZzSSQzX+SNfJf34wA0KMEFla kf8bfxpY/XpelPG2NY7W7XyVw6EUTlCtov3yLWtFBTnFdOA4SfuRsN8n9bo3bg7V ngKICLAv/OApK9Se/xCS43UnOqBhGH69gynN+BZsJ5P03DvXyTAozVSb1h7L1TwC IpUsmjgy/6s38a4D1PcEFaIwACSYrXkz0o3t6zIAUMItPSqabj+DP//AkIt903Z6 Yu86rSAHaviWAQj1746k =oFM1 -----END PGP SIGNATURE----- _______________________________________________ dnssec-trigger mailing list [email protected] http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger
