From ArchWiki
Jump to navigation Jump to search

easy way: systemd-resolved supports DNSSEC

IIUIC it is fairly easy to use DNSSEC system-wide via systemd-resolved.service. One has to use a DNS server which supports DNSSEC of course (like or [1]) and set DNSSEC to "true" or "allow-downgrade". resolved.conf(5) describes the DNSSEC option.

It can be configured globally in /etc/systemd/resolved.conf or per link if using Systemd-networkd in the corresponding /etc/systemd/network/*.network files.

By default, systemd-resolved.service does also DNS caching, which is useful when using DNSSEC because of the additional lookup delay.

Possible caveats:

  • From resolved.conf(5): "In effect, when the built-in trust anchor is revoked and DNSSEC= is true, all further lookups will fail, as it cannot be proved anymore whether lookups are correctly signed, or validly unsigned." So keep your system up-to-date ;)
  • There are three ways for dealing with /etc/resolv.conf. If one wants system-wide DNSSEC validation, one should probably opt for the first option, since the second and third one expose the configured DNS servers via /etc/resolv.conf to clients which may bypass any local DNS API.

I'm still learing about DNS/DNSSEC and I'm not sure if the above is correct or I missed something. But from my understanding it should work and would fit very well into DNSSEC.

—This unsigned comment is by Mearon (talk) 17:15, 16 November 2017‎. Please sign your posts with ~~~~!

Testing section is misleading

Currently in the #Testing section the user is instructed to try drill -DT {sigok,sigfail} for "testing" purposes, but I don't think these are useful tests.

What I mean is: drill -DT does all the queries and validation itself, so these tests only serve to verify that the sigok and sigfail domains have the DNSSEC configuration they are reported to have. They test nothing about the user's resolver. It looks like in previous versions of this page that was more clear, but now it is not.

Depending on the intended purpose of this section, it should probably either:

1. Inform the user they should substitute the domains(s) they actually want to validate the DNSSEC configuration of.

2. Supply alternative instructions that test the user's locally configured resolver's DNSSEC behavior.

3. Link to instructions like (2) in the relevant sections of pages for different setups i.e resolved/dnsmasq/unbound etc.

4. Be removed.

Brocellous (talk) 23:46, 20 August 2020 (UTC)