dns: disable DNSSEC to avoid circular dependency with NTP

This commit is contained in:
2024-10-06 13:00:12 +00:00
parent 6579e6264c
commit 7795a3f6aa

View File

@@ -27,6 +27,8 @@ lib.mkMerge [
# sane.services.hickory-dns.asSystemResolver = lib.mkDefault true; # sane.services.hickory-dns.asSystemResolver = lib.mkDefault true;
} }
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && !config.sane.services.hickory-dns.enable) { (lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && !config.sane.services.hickory-dns.enable) {
services.resolved.enable = lib.mkForce false;
# resolve DNS recursively with Unbound. # resolve DNS recursively with Unbound.
services.unbound.enable = lib.mkDefault true; services.unbound.enable = lib.mkDefault true;
services.unbound.resolveLocalQueries = true; services.unbound.resolveLocalQueries = true;
@@ -34,7 +36,14 @@ lib.mkMerge [
"127.0.0.1" "127.0.0.1"
"::1" "::1"
]; ];
services.resolved.enable = lib.mkForce false; # effectively disable DNSSEC, to avoid a circular dependency between DNS resolution and NTP.
# without this, if the RTC fails, then both time and DNS are unrecoverable.
# if you enable this, make sure to persist the stateful data.
# alternatively, use services.unbound.settings.trust-anchor = ... (or trusted-keys-file)
services.unbound.enableRootTrustAnchor = false;
services.unbound.settings.server.cache-max-negative-ttl = 60;
# services.unbound.settings.server.use-caps-for-id = true; #< TODO: randomizes casing to avoid spoofing
services.unbound.settings.server.prefetch = true; # prefetch RRs which are about to expire from the cache, to keep them primed
}) })
(lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) { (lib.mkIf (!config.sane.services.hickory-dns.asSystemResolver && config.sane.services.hickory-dns.enable) {
# use systemd's stub resolver. # use systemd's stub resolver.