dns: disable DNSSEC to avoid circular dependency with NTP
This commit is contained in:
@@ -27,6 +27,8 @@ lib.mkMerge [
|
|||||||
# sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
|
# sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
|
||||||
}
|
}
|
||||||
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && !config.sane.services.hickory-dns.enable) {
|
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && !config.sane.services.hickory-dns.enable) {
|
||||||
|
services.resolved.enable = lib.mkForce false;
|
||||||
|
|
||||||
# resolve DNS recursively with Unbound.
|
# resolve DNS recursively with Unbound.
|
||||||
services.unbound.enable = lib.mkDefault true;
|
services.unbound.enable = lib.mkDefault true;
|
||||||
services.unbound.resolveLocalQueries = true;
|
services.unbound.resolveLocalQueries = true;
|
||||||
@@ -34,7 +36,14 @@ lib.mkMerge [
|
|||||||
"127.0.0.1"
|
"127.0.0.1"
|
||||||
"::1"
|
"::1"
|
||||||
];
|
];
|
||||||
services.resolved.enable = lib.mkForce false;
|
# effectively disable DNSSEC, to avoid a circular dependency between DNS resolution and NTP.
|
||||||
|
# without this, if the RTC fails, then both time and DNS are unrecoverable.
|
||||||
|
# if you enable this, make sure to persist the stateful data.
|
||||||
|
# alternatively, use services.unbound.settings.trust-anchor = ... (or trusted-keys-file)
|
||||||
|
services.unbound.enableRootTrustAnchor = false;
|
||||||
|
services.unbound.settings.server.cache-max-negative-ttl = 60;
|
||||||
|
# services.unbound.settings.server.use-caps-for-id = true; #< TODO: randomizes casing to avoid spoofing
|
||||||
|
services.unbound.settings.server.prefetch = true; # prefetch RRs which are about to expire from the cache, to keep them primed
|
||||||
})
|
})
|
||||||
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
|
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
|
||||||
# use systemd's stub resolver.
|
# use systemd's stub resolver.
|
||||||
|
Reference in New Issue
Block a user