On Fri, 15 Jan 2016, Mikaela Suomalainen wrote:
- From what I have understood Unbound has edns0 enabled by default and
only disables it if the upstream nameserver doesn't support it.
However I think it's disabled between local apps (this is probably
wrong way to say it, but I hope you understand) and Unbound, because
there is no "options edns0" in /etc/resolv.conf and user cannot enable
it manually as dnssec-trigger overwrites it and even does chattr -/+i
by itself.
That option is at most for glibc. Any other application using a dns
library should not be making decisions based on those options in
resolv.conf.
I think it being disabled could break DNSSEC validation for some apps
that do it by themselves, e.g. ssh (when verifying SSHFP records on
DNSSEC-signed zone).
ssh is supposed to check the DO bit, so those queries have to use EDNS0.
I don't think dnssec-trigger should change resolv.conf options, other
then the "nameserver" entries.
Paul
_______________________________________________
dnssec-trigger mailing list
dnssec-trigger@NLnetLabs.nl
http://open.nlnetlabs.nl/mailman/listinfo/dnssec-trigger