colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/modules/system/resolved: disable DNSSEC validation by default

Browse Source 
Historically, we allowed downgrade of DNSSEC, but some folks argue
this may decrease actually the security posture to do opportunistic DNSSEC.

In addition, the current implementation of (opportunistic) DNSSEC validation
is broken against "in the wild" servers which are usually slightly non-compliant.

systemd upstream recommended to me (in personal communication surrounding
the All Systems Go 2023 conference) to disable DNSSEC validation until
they work on it in a significant capacity, ideally, by next year.
This commit is contained in:
Raito Bezarius 2023-09-13 11:49:16 +02:00
parent 703eef7b02
commit 4f461f7b77
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/system/boot/resolved.nix
View File

@ -66,7 +66,7 @@ in
};
services.resolved.dnssec = mkOption {
default = "allow-downgrade";
default = "false";
example = "true";
type = types.enum [ "true" "allow-downgrade" "false" ];
description = lib.mdDoc ''
@ -85,6 +85,12 @@ in
synthesizing a DNS response that suggests DNSSEC was not
supported.
- `"false"`: DNS lookups are not DNSSEC validated.
At the time of September 2023, systemd upstream advise
to disable DNSSEC by default as the current code
is not robust enough to deal with "in the wild" non-compliant
servers, which will usually give you a broken bad experience
in addition of insecure.
'';
};