Difference between revisions of "Talk:DNSSEC"

From ArchWiki
Jump to navigation Jump to search
(Reworking: re)
(add section: "easy way: systemd-resolved supports DNSSEC")
Line 4: Line 4:
  
 
:I've done some reworking and removed the flag.  -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 00:33, 23 April 2017 (UTC)
 
:I've done some reworking and removed the flag.  -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 00:33, 23 April 2017 (UTC)
 +
 +
== easy way: systemd-resolved supports DNSSEC ==
 +
 +
IIUIC it is fairly easy to use DNSSEC system-wide via {{ic|systemd-resolved.service}}. One has to use a DNS server which supports DNSSEC of course (like 8.8.8.8 or 9.9.9.9 [https://quad9.net/]) and set {{ic|DNSSEC}} to "true" or "allow-downgrade". {{man|5|resolved.conf}} describes the {{ic|DNSSEC}} option.
 +
 +
It can be configured globally in {{ic|/etc/systemd/resolved.conf}} or per link if using [[Systemd-networkd]] in the corresponding {{ic|/etc/systemd/network/*.network}} files.
 +
 +
By default, {{ic|systemd-resolved.service}} does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.
 +
 +
Possible caveats:
 +
*From {{man|5|resolved.conf}}: "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
 +
*There are [http://jlk.fjfi.cvut.cz/arch/manpages/man/systemd-resolved.8#/ETC/RESOLV.CONF three ways] for dealing with {{ic|/etc/resolv.conf}}. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via {{ic|/etc/resolv.conf}} to clients which may bypass any [http://jlk.fjfi.cvut.cz/arch/manpages/man/systemd-resolved.8#DESCRIPTION local DNS API].
 +
 +
I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into [[DNSSEC]].

Revision as of 17:15, 16 November 2017

Reworking

This article needs a major rework. It is listed in General recommendations#DNS security, but the page seems overwhelming. Do people need to patch every single program they use in order to use DNSSEC? I'm more inclined to recommend people to use something like Unbound. -- Rdeckard (talk) 01:45, 21 April 2017 (UTC)

I've done some reworking and removed the flag. -- Rdeckard (talk) 00:33, 23 April 2017 (UTC)

easy way: systemd-resolved supports DNSSEC

IIUIC it is fairly easy to use DNSSEC system-wide via systemd-resolved.service. One has to use a DNS server which supports DNSSEC of course (like 8.8.8.8 or 9.9.9.9 [1]) and set DNSSEC to "true" or "allow-downgrade". resolved.conf(5) describes the DNSSEC option.

It can be configured globally in /etc/systemd/resolved.conf or per link if using Systemd-networkd in the corresponding /etc/systemd/network/*.network files.

By default, systemd-resolved.service does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.

Possible caveats:

  • From resolved.conf(5): "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
  • There are three ways for dealing with /etc/resolv.conf. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via /etc/resolv.conf to clients which may bypass any local DNS API.

I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into DNSSEC.