diff options
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | NEWS | 17 | ||||
| -rw-r--r-- | configure.ac | 19 | ||||
| -rw-r--r-- | src/resolve/resolved-manager.c | 2 | ||||
| -rw-r--r-- | src/resolve/resolved.conf.in | 2 |
5 files changed, 37 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index 9bc0bf2c05..8c151f538f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5759,6 +5759,7 @@ substitutions = \ '|PYTHON=$(PYTHON)|' \ '|NTP_SERVERS=$(NTP_SERVERS)|' \ '|DNS_SERVERS=$(DNS_SERVERS)|' \ + '|DEFAULT_DNSSEC_MODE=$(DEFAULT_DNSSEC_MODE)|' \ '|systemuidmax=$(SYSTEM_UID_MAX)|' \ '|systemgidmax=$(SYSTEM_GID_MAX)|' \ '|TTY_GID=$(TTY_GID)|' \ @@ -2,6 +2,23 @@ systemd System and Service Manager CHANGES WITH 230 in spe: + * DNSSEC is now turned on by default in systemd-resolved (in + "allow-downgrade" mode), but may be turned off during compile time by + passing "--with-default-dnssec=no" to "configure" (and of course, + during runtime with DNSSEC= in resolved.conf). We recommend + downstreams to leave this on at least during development cycles and + report any issues with the DNSSEC logic upstream. We are very + interested in collecting feedback about the DNSSEC validator and its + limitations in the wild. Note however, that DNSSEC support is + probably nothing downstreams should turn on in stable distros just + yet, as it might create incompabilities with a few DNS servers and + networks. We tried hard to make sure we downgrade to non-DNSSEC mode + automatically whenever we detect such incompatible setups, but there + might be systems we do not cover yet. Hence: please help us testing + the DNSSEC code, leave this on where you can, report back, but then + again don't consider turning this on in your stable, LTS or + production release just yet. + * Testing tool /usr/lib/systemd/systemd-activate is renamed to systemd-socket-activate and installed into /usr/bin. It is now fully supported. diff --git a/configure.ac b/configure.ac index 262f9e4fff..e72470a199 100644 --- a/configure.ac +++ b/configure.ac @@ -1128,6 +1128,20 @@ AC_ARG_WITH(dns-servers, AC_DEFINE_UNQUOTED(DNS_SERVERS, ["$DNS_SERVERS"], [Default DNS Servers]) AC_SUBST(DNS_SERVERS) +AC_ARG_WITH(default-dnssec, + AS_HELP_STRING([--with-default-dnssec=MODE], + [Default DNSSEC mode, defaults to "allow-downgrade"]), + [DEFAULT_DNSSEC_MODE="$withval"], + [DEFAULT_DNSSEC_MODE="allow-downgrade"]) + +AS_CASE("x${DEFAULT_DNSSEC_MODE}", + [xno], [mode=DNSSEC_NO], + [xyes], [mode=DNSSEC_YES], + [xallow-downgrade], [mode=DNSSEC_ALLOW_DOWNGRADE], + AC_MSG_ERROR(Bad DNSSEC mode ${DEFAULT_DNSSEC_MODE})) +AC_DEFINE_UNQUOTED(DEFAULT_DNSSEC_MODE, [$mode], [Default DNSSEC mode]) +AC_SUBST(DEFAULT_DNSSEC_MODE) + # ------------------------------------------------------------------------------ have_networkd=no AC_ARG_ENABLE(networkd, AS_HELP_STRING([--disable-networkd], [disable networkd])) @@ -1559,12 +1573,13 @@ AC_MSG_RESULT([ hostnamed: ${have_hostnamed} timedated: ${have_timedated} timesyncd: ${have_timesyncd} - default NTP servers: ${NTP_SERVERS} + Default NTP servers: ${NTP_SERVERS} time epoch: ${TIME_EPOCH} localed: ${have_localed} networkd: ${have_networkd} resolved: ${have_resolved} - default DNS servers: ${DNS_SERVERS} + Default DNS servers: ${DNS_SERVERS} + Default DNSSEC mode: ${DEFAULT_DNSSEC_MODE} coredump: ${have_coredump} polkit: ${have_polkit} efi: ${have_efi} diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index bf5efe4cfa..09e15fa230 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -485,7 +485,7 @@ int manager_new(Manager **ret) { m->llmnr_support = RESOLVE_SUPPORT_YES; m->mdns_support = RESOLVE_SUPPORT_NO; - m->dnssec_mode = DNSSEC_NO; + m->dnssec_mode = DEFAULT_DNSSEC_MODE; m->read_resolv_conf = true; m->need_builtin_fallbacks = true; m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY; diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index efc9c6733a..a288588924 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -16,4 +16,4 @@ #FallbackDNS=@DNS_SERVERS@ #Domains= #LLMNR=yes -#DNSSEC=no +#DNSSEC=@DEFAULT_DNSSEC_MODE@ |