summaryrefslogtreecommitdiff
path: root/configure.ac
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-02-15 18:40:02 +0100
committerLennart Poettering <lennart@poettering.net>2016-02-16 15:22:05 +0100
commit61ecb465b1c803316cb55bae0c2d7cf3c0008589 (patch)
tree4ff4d283b4a55458a2107b8484cbbfd991c8d523 /configure.ac
parent6043679c6ec485a96926f07c26d77f2c0c246fe2 (diff)
resolved: turn on DNSSEC by default, unless configured otherwise
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to "allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled by default add a configure switch to disable this again. DNSSEC in "allow-downgrade" mode should mostly work without affecting user experience. There's one exception: some captive portal systems rewrite DNS in order to redirect HTTP traffic to the captive portal. If these systems implement DNS servers that are otherwise DNSSEC-capable (which in fact is pretty unlikely, but still...), then this will result in the captive portal being inaccessible. To fix this support in NetworkManager (or any other network management solution that does captive portal detection) is required, which simply turns off DNSSEC during the captive portal detection, and resets it back to the default (i.e. on) after captive portal authentication is complete.
Diffstat (limited to 'configure.ac')
-rw-r--r--configure.ac19
1 files changed, 17 insertions, 2 deletions
diff --git a/configure.ac b/configure.ac
index 262f9e4fff..e72470a199 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1128,6 +1128,20 @@ AC_ARG_WITH(dns-servers,
AC_DEFINE_UNQUOTED(DNS_SERVERS, ["$DNS_SERVERS"], [Default DNS Servers])
AC_SUBST(DNS_SERVERS)
+AC_ARG_WITH(default-dnssec,
+ AS_HELP_STRING([--with-default-dnssec=MODE],
+ [Default DNSSEC mode, defaults to "allow-downgrade"]),
+ [DEFAULT_DNSSEC_MODE="$withval"],
+ [DEFAULT_DNSSEC_MODE="allow-downgrade"])
+
+AS_CASE("x${DEFAULT_DNSSEC_MODE}",
+ [xno], [mode=DNSSEC_NO],
+ [xyes], [mode=DNSSEC_YES],
+ [xallow-downgrade], [mode=DNSSEC_ALLOW_DOWNGRADE],
+ AC_MSG_ERROR(Bad DNSSEC mode ${DEFAULT_DNSSEC_MODE}))
+AC_DEFINE_UNQUOTED(DEFAULT_DNSSEC_MODE, [$mode], [Default DNSSEC mode])
+AC_SUBST(DEFAULT_DNSSEC_MODE)
+
# ------------------------------------------------------------------------------
have_networkd=no
AC_ARG_ENABLE(networkd, AS_HELP_STRING([--disable-networkd], [disable networkd]))
@@ -1559,12 +1573,13 @@ AC_MSG_RESULT([
hostnamed: ${have_hostnamed}
timedated: ${have_timedated}
timesyncd: ${have_timesyncd}
- default NTP servers: ${NTP_SERVERS}
+ Default NTP servers: ${NTP_SERVERS}
time epoch: ${TIME_EPOCH}
localed: ${have_localed}
networkd: ${have_networkd}
resolved: ${have_resolved}
- default DNS servers: ${DNS_SERVERS}
+ Default DNS servers: ${DNS_SERVERS}
+ Default DNSSEC mode: ${DEFAULT_DNSSEC_MODE}
coredump: ${have_coredump}
polkit: ${have_polkit}
efi: ${have_efi}