diff options
| author | Peter Simons <simons@cryp.to> | 2016-01-19 21:50:27 +0100 |
|---|---|---|
| committer | Peter Simons <simons@cryp.to> | 2016-01-19 21:54:43 +0100 |
| commit | 5e468b96b432c938665ac056463a29fde40067b7 (patch) | |
| tree | 140983a4b78370b73592e7937975fb403cbea210 /nixos | |
| parent | 8871de95f5277dc88d991437ac3e782faada4846 (diff) | |
| download | nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar.gz nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar.bz2 nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar.lz nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar.xz nixlib-5e468b96b432c938665ac056463a29fde40067b7.tar.zst nixlib-5e468b96b432c938665ac056463a29fde40067b7.zip | |
nixos: add 'networking.dnsExtensionMechanism' option to enable edns0 (for DNSSEC)
Set this option to 'true' (default: 'false') to enable extension mechanisms for DNS (EDNS) in your local glibc resolver. This is required for supporting DNSSEC, for example. Implementation detail: the patch changes assignments to "resolv_conf_options" to use "+=" instead of "=" to ensure that multiple users of that variable don't overwrite each other. The generated config file is a shell script, after all, so this should work fine. Closes https://github.com/NixOS/nixpkgs/issues/12470.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/config/networking.nix | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/nixos/modules/config/networking.nix b/nixos/modules/config/networking.nix index 293a42d38b5a..d4b1e6d6b968 100644 --- a/nixos/modules/config/networking.nix +++ b/nixos/modules/config/networking.nix @@ -39,6 +39,17 @@ in ''; }; + networking.dnsExtensionMechanism = lib.mkOption { + type = types.bool; + default = false; + description = '' + Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With + that option set, <code>glibc</code> supports use of the extension mechanisms for + DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC, + which does not work without it. + ''; + }; + networking.extraResolvconfConf = lib.mkOption { type = types.lines; default = ""; @@ -162,7 +173,10 @@ in libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null' '' + optionalString cfg.dnsSingleRequest '' # only send one DNS request at a time - resolv_conf_options='single-request' + resolv_conf_options+=' single-request' + '' + optionalString dnsExtensionMechanism '' + # enable extension mechanisms for DNS + resolv_conf_options+=' edns0' '' + optionalString hasLocalResolver '' # This hosts runs a full-blown DNS resolver. name_servers='127.0.0.1' |