glibc 2.31 (in Fedora 32) clears the AD bit in DNS responses unless the resolvers configured in /etc/resolv.conf are marked as trusted, using this new option: options trust-ad Please add a documented way to set this option on connection profiles. For example, it should be possible to specify that the DNS servers received for an OpenVPN connection are trusted in this way, or that DNS servers assigned via DHCP on a specific connection are trusted. Without this feature, applications which require authenticated DNS data (such as some Postfix features) will fail on Fedora 32. Sorry for not noticing this sooner. Postfix bug description: https://marc.info/?l=postfix-users&m=158704757200939&w=2 Note: I think the Postfix bug is wrong, and this should be fixed by configuring /etc/resolv.conf correctly.
NM supports setting resolv.conf options in the 'ipv4.dns-options' and 'ipv6.dns-options' properties of a connection profile. This is documented in 'man nm-settings'; the page doesn't document each individual option but instead it refers to the resolv.conf man page. I see that 'trust-ad' is not documented there yet, I think it should be. I just added 'trust-ad' to the options recognized by NM. This will be included in F32 when we rebase NM to the next minor version, which should happen quite soon. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/40b2cf7a0c652814638207b2951c6f7c80aa8033
Thanks. I think since this flag has special semantic meaning and needs to be set based on VPN connections etc., it may not make sense to merge it with the other settings in the configuration. Sorry, I can't tell based on your commit whether that is the case here or not.
> Thanks. I think since this flag has special semantic meaning and > needs to be set based on VPN connections etc., it may not make sense > to merge it with the other settings in the configuration. Currently users can set DNS options in the connection profile. For example: nmcli connection modify ethernet-enp1s0 ipv4.dns-options trust-ad,rotate This means that when the connection is active, 'trust-ad' and 'rotate' are added to /etc/resolv.conf options, together with options from other connections active at that moment. Option 'trust-ad' is never added automatically by NM, but must be added by users on all the connections (including VPNs) for which it makes sense. A problem is that resolv.conf options are global and so if you add an option to a connection, it also applies to name servers from other connections that are active at the same time. > For example, it should be possible to specify that the DNS servers > received for an OpenVPN connection are trusted in this way, or that > DNS servers assigned via DHCP on a specific connection are trusted. Yes, if users add the option to those specific connection profiles, NM will write the option to resolv.conf.
merged another patch to "master" and "nm-1-24": https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/5e47fb630ba92fa7a5b98bebc94f830935109e0c Now `man nm-settings` reads: ├────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤ │dns-options │ array of string │ │ Array of DNS options as described in │ │ │ │ │ man 5 resolv.conf. NULL means that the │ │ │ │ │ options are unset and left at the │ │ │ │ │ default. In this case NetworkManager │ │ │ │ │ will use default options. This is │ │ │ │ │ distinct from an empty list of │ │ │ │ │ properties. The currently supported │ │ │ │ │ options are "attempts", "debug", │ │ │ │ │ "edns0", "inet6", "ip6-bytestring", │ │ │ │ │ "ip6-dotint", "ndots", │ │ │ │ │ "no-check-names", "no-ip6-dotint", │ │ │ │ │ "no-reload", "no-tld-query", "rotate", │ │ │ │ │ "single-request", │ │ │ │ │ "single-request-reopen", "timeout", │ │ │ │ │ "trust-ad", "use-vc". The "trust-ad" │ │ │ │ │ setting is only honored if the profile │ │ │ │ │ contributes name servers to │ │ │ │ │ resolv.conf, and if all contributing │ │ │ │ │ profiles have "trust-ad" enabled. │ ├────────────────────┼──────────────────┼───────────────┼────────────────────────────────────────┤ The merged DNS options are global, accros all activate devices/profiles. That means: - if a profile doesn't specify any DNS name servers, they are ignored w.r.t. trust-ad setting. - if all profiles that are not ignored specify trust-ad, then trust-ad gets set. - otherwise, it doesn't get set. Note that you can also set `ipv4.dns-priorty` to a negative value, so that only that profile gets used. I think that should solve this request.
this will be thus available in NetworkManager 1.24.0 and newer.