dns: add options to control automatic addition of edns0 and trust-ad

Options "edns0" and "trust-ad" are automatically added when using caching plugins such as dnsmasq and systemd-resolved. In some cases, those options can break resolution due to non-conforming resolvers, and there is no way to disable them. Introduce new options "_no-add-edns0" and "_no-add-trust-ad" to prevent the automatic addition of "edns0" and "trust-ad". The initial underscore indicates that the option is internal and is not written into resolv.conf. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1393 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1751
2024-10-01 13:55:36 +00:00 · 2023-10-09 18:00:44 +02:00 · 2023-10-09 18:00:44 +02:00 · 7447c1c202
parent f9c9cbbf2f
commit 7447c1c202
3 changed files with 38 additions and 6 deletions
--- a/src/core/dns/nm-dns-manager.c
+++ b/src/core/dns/nm-dns-manager.c
@ -1876,8 +1876,11 @@ plugin_skip:;
        nameservers    = g_new0(char *, 2);
        nameservers[0] = g_strdup(lladdr);

-        need_edns0 = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_EDNS0);
-        need_trust = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD);
+        need_edns0 = !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_EDNS0)
+                     && !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0);
+        need_trust =
+            !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_TRUST_AD)
+            && !nm_strv_contains(options, -1, NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD);

        if (need_edns0 || need_trust) {
            gsize len;
@ -1892,6 +1895,23 @@ plugin_skip:;
        }
    }

+    if (options) {
+        guint i;
+        guint j;
+
+        /* Skip internal options, those starting with '_' */
+        for (i = 0, j = 0; options[i]; i++) {
+            if (options[i][0] == '_') {
+                g_free(options[i]);
+                continue;
+            }
+            if (i != j)
+                options[j] = options[i];
+            j++;
+        }
+        options[j] = NULL;
+    }
+
    if (do_update) {
        switch (priv->rc_manager) {
        case NM_DNS_MANAGER_RESOLV_CONF_MAN_SYMLINK:
--- a/src/libnm-core-impl/nm-setting-ip-config.c
+++ b/src/libnm-core-impl/nm-setting-ip-config.c
@ -52,6 +52,8 @@ const NMUtilsDNSOptionDesc _nm_utils_dns_option_descs[] = {
    {NM_SETTING_DNS_OPTION_NO_RELOAD, FALSE, FALSE},
    {NM_SETTING_DNS_OPTION_TRUST_AD, FALSE, FALSE},
    {NM_SETTING_DNS_OPTION_NO_AAAA, FALSE, FALSE},
+    {NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0, FALSE, FALSE},
+    {NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD, FALSE, FALSE},
    {NULL, FALSE, FALSE}};

 static char *
@ -6376,17 +6378,24 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
    /**
     * NMSettingIPConfig:dns-options:
     *
-     * Array of DNS options as described in man 5 resolv.conf.
+     * Array of DNS options to be added to resolv.conf.
     *
     * %NULL means that the options are unset and left at the default.
     * In this case NetworkManager will use default options. This is
     * distinct from an empty list of properties.
     *
-     * The currently supported options are "attempts", "debug", "edns0",
+     * The following options are directly added to resolv.conf: "attempts",
+     *  "debug", "edns0",
     * "inet6", "ip6-bytestring", "ip6-dotint", "ndots", "no-aaaa",
     * "no-check-names", "no-ip6-dotint", "no-reload", "no-tld-query",
     * "rotate", "single-request", "single-request-reopen", "timeout",
-     * "trust-ad", "use-vc".
+     * "trust-ad", "use-vc". See the resolv.conf(5) man page for a
+     * detailed description of these options.
+     *
+     * In addition, NetworkManager supports the special options "_no-add-edns0"
+     * and "_no-add-trust-ad". They are not added to resolv.conf, and can be
+     * used to prevent the automatic addition of options "edns0" and "trust-ad"
+     * when using caching DNS plugins (see below).
     *
     * The "trust-ad" setting is only honored if the profile contributes
     * name servers to resolv.conf, and if all contributing profiles have
@ -6394,7 +6403,7 @@ nm_setting_ip_config_class_init(NMSettingIPConfigClass *klass)
     *
     * When using a caching DNS plugin (dnsmasq or systemd-resolved in
     * NetworkManager.conf) then "edns0" and "trust-ad" are automatically
-     * added.
+     * added, unless "_no-add-edns0" and "_no-add-trust-ad" are present.
     *
     * Since: 1.2
     **/
--- a/src/libnm-core-public/nm-setting-ip-config.h
+++ b/src/libnm-core-public/nm-setting-ip-config.h
@ -363,6 +363,9 @@ char *nm_ip_routing_rule_to_string(const NMIPRoutingRule       *self,
 #define NM_SETTING_DNS_OPTION_NO_RELOAD             "no-reload"
 #define NM_SETTING_DNS_OPTION_TRUST_AD              "trust-ad"
 #define NM_SETTING_DNS_OPTION_NO_AAAA               "no-aaaa"
+/* Internal options (not added to resolv.conf) */
+#define NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_EDNS0    "_no-add-edns0"
+#define NM_SETTING_DNS_OPTION_INTERNAL_NO_ADD_TRUST_AD "_no-add-trust-ad"

 typedef struct _NMSettingIPConfigClass NMSettingIPConfigClass;