fix: enable edns0 for system resolver by default #1282
Conversation
Remove after hickory-resolver is updated with this fix applied: hickory-dns/hickory-dns#2831 Fixes: stalwartlabs#1255
|
|
|
Is there any harm in enabling edns0 by default? As far as I understand EDNS0 does not require DNSSEC (which is disabled by default in resolved - in NixOS at least). The upstream has decided against enabling it default apparently for good reasons? Is it only a performance consideration or can it break stuff? For stalwart the correct approach is probably to wait for the upstream PR to be merged and update the dep, because there is a workaround in config posted in the bug report (using TCP, which should be fine for most deployments I wager). In any case, thank you for digging into this! |
It is not, but every resolver which implements dnssec also has edns0 support, edns0 is there since... year 1999, 25 years ago: https://datatracker.ietf.org/doc/html/rfc2671 I don't think there is any DNS server which doesn't support edns0 in the wild at all? The only option is to disable it, I think.
ResolverOpts in hickory specifies its defaults as
At the time resolv.conf defaults were added, there were not many edns0 servers, I think. |
|
FYI hickory-dns/hickory-dns#2831 is merged already. I guess it will be in the next release? |
|
Now I think, this fix is even the correct one because as far as I understand is EDNS a requirement of DNSSEC (See https://www.rfc-editor.org/rfc/rfc4033.html?utm_source=chatgpt.com) |
|
Hi @CertainLach, We recently updated our Fiduciary License Agreement (FLA) to clarify that Stalwart Labs is authorized to dual-license contributions under the Stalwart Enterprise License (SEL). This change does not affect your rights in any way—your contribution remains open source under the same Free Software licenses as before. The only difference is that we now have explicit permission to also license it under SEL. Everything else in the agreement stays the same. In particular, if Stalwart Labs ever stops offering the project as open source, your rights to your contribution will automatically revert back to you. This safeguard ensures that your work cannot be taken out of the open-source ecosystem without returning control to you. To continue using your contribution, we kindly ask that you sign the updated agreement at https://cla-assistant.io/stalwartlabs/. If you prefer, you can also simply reply to this comment with "I agree", and we will consider it as your acceptance of the updated terms. If you do not agree with these new terms or if we do not hear from you within one month, we will need to revert this PR and remove your contribution from the repository. Thank you for your contributions to Stalwart Mail Server! If you have any questions or concerns, feel free to reach out. |
This fix is not entirely correct, as system resolver might not support edns0, and this flag should be read from resolv.conf.
However, we expect system resolver to support dnssec, and it is unusual for dns server to support dnssec, and not support edns0?
Also system resolver is not default in stalwart mail server, and it wouldn't be expected for user to replace secure default dns server with insecure system resolver in this case?
In any case, this should be removed after hickory-resolver is updated with this fix applied: hickory-dns/hickory-dns#2831
And I believe it would be good for it to be always enabled in meantime.
Fixes: #1255