easy way: systemd-resolved supports DNSSEC
IIUIC it is fairly easy to use DNSSEC system-wide via
systemd-resolved.service. One has to use a DNS server which supports DNSSEC of course (like 126.96.36.199 or 188.8.131.52 ) and set
DNSSEC to "true" or "allow-downgrade". describes the
It can be configured globally in
/etc/systemd/resolved.conf or per link if using Systemd-networkd in the corresponding
systemd-resolved.service does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.
- From : "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
- There are three ways for dealing with
/etc/resolv.conf. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via
/etc/resolv.confto clients which may bypass any local DNS API.
I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into DNSSEC.