diff options
| author | Artturi <Artturin@artturin.com> | 2023-09-19 06:45:07 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-19 06:45:07 +0300 |
| commit | 73d552ecb75d16f3cd6e88ee76c13dd78c543764 (patch) | |
| tree | 6294b49ab16ba0d1312490a4491e9ab1d2df0843 /nixos/modules/system | |
| parent | c3f4c7f54ce38f1bf69d2a557c4c37c036436073 (diff) | |
| parent | 4f461f7b7788d9aafc6021f1384423dabe605ad0 (diff) | |
| download | nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar.gz nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar.bz2 nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar.lz nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar.xz nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.tar.zst nixlib-73d552ecb75d16f3cd6e88ee76c13dd78c543764.zip | |
Merge pull request #254918 from RaitoBezarius/dnssec-resolved
Diffstat (limited to 'nixos/modules/system')
| -rw-r--r-- | nixos/modules/system/boot/resolved.nix | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 4e7201833db6..b898a6317962 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -66,7 +66,7 @@ in }; services.resolved.dnssec = mkOption { - default = "allow-downgrade"; + default = "false"; example = "true"; type = types.enum [ "true" "allow-downgrade" "false" ]; description = lib.mdDoc '' @@ -85,6 +85,12 @@ in synthesizing a DNS response that suggests DNSSEC was not supported. - `"false"`: DNS lookups are not DNSSEC validated. + + At the time of September 2023, systemd upstream advise + to disable DNSSEC by default as the current code + is not robust enough to deal with "in the wild" non-compliant + servers, which will usually give you a broken bad experience + in addition of insecure. ''; }; |