A few years ago, I saw a comment from the lead developer of systemd stating that the DNSSEC support was still in the experimental phase. Now, almost three years later, I'm curious if that has changed. Is it safe to use DNSSEC with systemd-resolved, especially in version 257.9 (Debian 13)? Anyone had recent experiences or insights on this?
4 Answers
I wouldn't stress too much about the "safety" of it. I've had my workstation running with `DNSSEC=allow-downgrade` for about six months now. Initially had it set to `DNSSEC=yes`, but that just caused too many issues with captive portals. It seems like the protections are doing their job, but it's a mixed bag.
Interesting timing! I stumbled upon the same issue last week. It seems there’s a GitHub thread discussing a bug with the allow-downgrade option in systemd-resolved. Honestly, I've had constant issues ever since they introduced resolved, and it’s been pretty frustrating.
Honestly, I wouldn't put my trust in systemd for DNS or DNSSEC. They've had a lot of hiccups in the past, and while they might have improved, I’d still be cautious. It's often been problematic for me and others.
Just a heads up, the default DNSSEC setting in Fedora is `DNSSEC=no`. Generally, I think it's best for recursive resolvers to handle DNSSEC validation. If you're using stub resolvers, securing the connection to recursive resolvers over TLS is usually the way to go, and make sure the AD flag is trusted too.
I’m not sure why you got downvoted. Last I checked (like two years ago), systemd-resolved was really messy with some dubious design choices. It was the first thing I disabled on new setups.