diff options
author | Raito Bezarius <masterancpp@gmail.com> | 2023-09-13 11:49:16 +0200 |
---|---|---|
committer | Raito Bezarius <masterancpp@gmail.com> | 2023-09-13 11:49:16 +0200 |
commit | 4f461f7b7788d9aafc6021f1384423dabe605ad0 (patch) | |
tree | 5f83da8ec748ee8a7661e45f4f73e3affaafd677 /nixos/modules/system | |
parent | 703eef7b02b420ae3e624add656f41fc4ae7c26f (diff) | |
download | nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar.gz nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar.bz2 nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar.lz nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar.xz nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.tar.zst nixlib-4f461f7b7788d9aafc6021f1384423dabe605ad0.zip |
nixos/modules/system/resolved: disable DNSSEC validation by default
Historically, we allowed downgrade of DNSSEC, but some folks argue this may decrease actually the security posture to do opportunistic DNSSEC. In addition, the current implementation of (opportunistic) DNSSEC validation is broken against "in the wild" servers which are usually slightly non-compliant. systemd upstream recommended to me (in personal communication surrounding the All Systems Go 2023 conference) to disable DNSSEC validation until they work on it in a significant capacity, ideally, by next year.
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 4e7201833db6..b898a6317962 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -66,7 +66,7 @@ in }; services.resolved.dnssec = mkOption { - default = "allow-downgrade"; + default = "false"; example = "true"; type = types.enum [ "true" "allow-downgrade" "false" ]; description = lib.mdDoc '' @@ -85,6 +85,12 @@ in synthesizing a DNS response that suggests DNSSEC was not supported. - `"false"`: DNS lookups are not DNSSEC validated. + + At the time of September 2023, systemd upstream advise + to disable DNSSEC by default as the current code + is not robust enough to deal with "in the wild" non-compliant + servers, which will usually give you a broken bad experience + in addition of insecure. ''; }; |