From 4f50f4a36737037e11dfa6de78cb5c50f86e0ebd Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sun, 21 Nov 2021 11:37:03 +0200
Subject: [PATCH] systemd-resolved: don't DNSSEC with adblocking

---
 etc/systemd/resolved.conf.d/adguard-dot.conf                | 2 +-
 etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/etc/systemd/resolved.conf.d/adguard-dot.conf b/etc/systemd/resolved.conf.d/adguard-dot.conf
index 6ebf6496..32f71ecc 100644
--- a/etc/systemd/resolved.conf.d/adguard-dot.conf
+++ b/etc/systemd/resolved.conf.d/adguard-dot.conf
@@ -6,7 +6,7 @@ DNS=2a10:50c0::ad1:ff#dns.adguard.com 94.140.14.14#dns.adguard.com 2a10:50c0::ad
 Domains=~.
 # non-tech friendliness in case system down for ages. Also DNSSEC ensures
 # the DNS server isn't lying which is a task of adblocking DNS server...
-DNSSEC=allow-downgrade
+DNSSEC=false
 # There is no point of disabling this with adblocking DNS
 DNSOverTLS=true
 Cache=true
diff --git a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf b/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
index b37ca0f5..1313ac60 100644
--- a/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
+++ b/etc/systemd/resolved.conf.d/dot-mullvad-adblock-strict.conf
@@ -1,6 +1,8 @@
 [Resolve]
 DNS=2a07:e340::3#adblock.doh.mullvad.net 194.242.2.3#adblock.doh.mullvad.net 193.19.108.3#adblock.doh.mullvad.net
 Domains=~.
-DNSSEC=true
+# non-tech friendliness in case system down for ages. Also DNSSEC ensures
+# the DNS server isn't lying which is a task of adblocking DNS server...
+DNSSEC=false
 DNSOverTLS=true
 Cache=true