pyrox.dev / nixpkgs
lol
fork atom

nixos/modules/system/resolved: disable DNSSEC validation by default

Historically, we allowed downgrade of DNSSEC, but some folks argue
this may decrease actually the security posture to do opportunistic DNSSEC.

In addition, the current implementation of (opportunistic) DNSSEC validation
is broken against "in the wild" servers which are usually slightly non-compliant.

systemd upstream recommended to me (in personal communication surrounding
the All Systems Go 2023 conference) to disable DNSSEC validation until
they work on it in a significant capacity, ideally, by next year.

Raito Bezarius 4f461f7b 703eef7b

options
unified split
Changed files
+7 -1
nixos
modules
system
boot
resolved.nix
+7 -1
nixos/modules/system/boot/resolved.nix 
···

       
66

       
 

       
    };


     

       
67

       
 

       



     

       
68

       
 

       
    services.resolved.dnssec = mkOption {


     

       
69

       
-

       
      default = "allow-downgrade";


     

       
70

       
 

       
      example = "true";


     

       
71

       
 

       
      type = types.enum [ "true" "allow-downgrade" "false" ];


     

       
72

       
 

       
      description = lib.mdDoc ''


     
···

       
85

       
 

       
            synthesizing a DNS response that suggests DNSSEC was not


     

       
86

       
 

       
            supported.


     

       
87

       
 

       
        - `"false"`: DNS lookups are not DNSSEC validated.


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
88

       
 

       
      '';


     

       
89

       
 

       
    };


     

       
90

       
 

       



     
···

       
66

       
 

       
    };


     

       
67

       
 

       



     

       
68

       
 

       
    services.resolved.dnssec = mkOption {


     

       
69

       
+

       
      default = "false";


     

       
70

       
 

       
      example = "true";


     

       
71

       
 

       
      type = types.enum [ "true" "allow-downgrade" "false" ];


     

       
72

       
 

       
      description = lib.mdDoc ''


     
···

       
85

       
 

       
            synthesizing a DNS response that suggests DNSSEC was not


     

       
86

       
 

       
            supported.


     

       
87

       
 

       
        - `"false"`: DNS lookups are not DNSSEC validated.


     

       
88

       
+

       



     

       
89

       
+

       
        At the time of September 2023, systemd upstream advise


     

       
90

       
+

       
        to disable DNSSEC by default as the current code


     

       
91

       
+

       
        is not robust enough to deal with "in the wild" non-compliant


     

       
92

       
+

       
        servers, which will usually give you a broken bad experience


     

       
93

       
+

       
        in addition of insecure.


     

       
94

       
 

       
      '';


     

       
95

       
 

       
    };


     

       
96