This article needs a major rework. It is listed in General recommendations#DNS security, but the page seems overwhelming. Do people need to patch every single program they use in order to use DNSSEC? I'm more inclined to recommend people to use something like Unbound. -- Rdeckard (talk) 01:45, 21 April 2017 (UTC)
easy way: systemd-resolved supports DNSSEC
IIUIC it is fairly easy to use DNSSEC system-wide via
systemd-resolved.service. One has to use a DNS server which supports DNSSEC of course (like 220.127.116.11 or 18.104.22.168 ) and set
DNSSEC to "true" or "allow-downgrade". describes the
It can be configured globally in
/etc/systemd/resolved.conf or per link if using Systemd-networkd in the corresponding
systemd-resolved.service does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.
- From : "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
- There are three ways for dealing with
/etc/resolv.conf. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via
/etc/resolv.confto clients which may bypass any local DNS API.
I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into DNSSEC.