From ArchWiki
Jump to navigation Jump to search

easy way: systemd-resolved supports DNSSEC

IIUIC it is fairly easy to use DNSSEC system-wide via systemd-resolved.service. One has to use a DNS server which supports DNSSEC of course (like or [1]) and set DNSSEC to "true" or "allow-downgrade". resolved.conf(5) describes the DNSSEC option.

It can be configured globally in /etc/systemd/resolved.conf or per link if using Systemd-networkd in the corresponding /etc/systemd/network/*.network files.

By default, systemd-resolved.service does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.

Possible caveats:

  • From resolved.conf(5): "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
  • There are three ways for dealing with /etc/resolv.conf. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via /etc/resolv.conf to clients which may bypass any local DNS API.

I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into DNSSEC.

—This unsigned comment is by Mearon (talk) 17:15, 16 November 2017‎. Please sign your posts with ~~~~!