nixos: add 'networking.dnsExtensionMechanism' option to enable edns0 (for DNSSEC)

Set this option to 'true' (default: 'false') to enable extension mechanisms for
DNS (EDNS) in your local glibc resolver. This is required for supporting
DNSSEC, for example.

Implementation detail: the patch changes assignments to "resolv_conf_options"
to use "+=" instead of "=" to ensure that multiple users of that variable don't
overwrite each other. The generated config file is a shell script, after all,
so this should work fine.

Closes https://github.com/NixOS/nixpkgs/issues/12470.
This commit is contained in:
Peter Simons 2016-01-19 21:50:27 +01:00
parent 8871de95f5
commit 5e468b96b4

View File

@ -39,6 +39,17 @@ in
'';
};
networking.dnsExtensionMechanism = lib.mkOption {
type = types.bool;
default = false;
description = ''
Enable the <code>edns0</code> option in <filename>resolv.conf</filename>. With
that option set, <code>glibc</code> supports use of the extension mechanisms for
DNS (EDNS) specified in RFC 2671. The most popular user of that feature is DNSSEC,
which does not work without it.
'';
};
networking.extraResolvconfConf = lib.mkOption {
type = types.lines;
default = "";
@ -162,7 +173,10 @@ in
libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
'' + optionalString cfg.dnsSingleRequest ''
# only send one DNS request at a time
resolv_conf_options='single-request'
resolv_conf_options+=' single-request'
'' + optionalString dnsExtensionMechanism ''
# enable extension mechanisms for DNS
resolv_conf_options+=' edns0'
'' + optionalString hasLocalResolver ''
# This hosts runs a full-blown DNS resolver.
name_servers='127.0.0.1'