Mikaela/shell-things
1
0
Fork 0
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git synced 2025-01-22 10:04:34 +01:00
Code Issues Projects Releases Wiki Activity

systemd-resolved: keep DNSSEC enabled

Browse Source
This commit is contained in:
Aminda Suomalainen 2023-10-21 11:27:07 +03:00
parent 2022c99516
commit b6ecd1b173
Signed by: Mikaela
SSH Key Fingerprint: SHA256:CXLULpqNBdUKB6E6fLA1b/4SzG0HvKD19PbIePU175Q
3 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
etc/systemd/resolved.conf.d/00-defaults.conf
View File

@ -1,6 +1,9 @@
[Resolve] [Resolve]
# https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 # https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
#DNSSEC=allow-downgrade #DNSSEC=allow-downgrade
DNSSEC=no # Regardless of the above DNS breaking issues when DNSSEC is
# enabled/opportunistic, it provides authentication which is important. TLS
# cannot be fully trusted. https://notes.valdikss.org.ru/jabber.ru-mitm/
DNSSEC=yes
DNSOverTLS=opportunistic DNSOverTLS=opportunistic
Cache=yes Cache=yes

10
etc/systemd/resolved.conf.d/README.md
View File

@ -11,9 +11,9 @@ sudo systemctl restart systemd-resolved
## Files explained ## Files explained
- `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as - `00-defaults.conf` - configuration not touching resolvers. Enables DNSSEC
systemd-resolved doesn't handle it properly), enables opportunistic DoT and (regardless of systemd-resolved not handling it properly), enables
caching. opportunistic DoT and caching.
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If - `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
captive portals are a concern, `DNSOverTLS=no`. captive portals are a concern, `DNSOverTLS=no`.
- `README.md` - you are reading it right now. - `README.md` - you are reading it right now.
@ -33,10 +33,12 @@ sudo systemctl restart systemd-resolved
potential downgrade attack. There are also captive portals, affecting potential downgrade attack. There are also captive portals, affecting
`DNSOverTLS`. Both take `yes` or `no` or their own special option, `DNSOverTLS`. Both take `yes` or `no` or their own special option,
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`. for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
- Then again when was any system that outdated to not have working DNSSEC?
- TODO: return to this configuration should that actually happen?
Other links I have found important and my files are based on: Other links I have found important and my files are based on:
- https://wiki.archlinux.org/index.php/Systemd-resolved - https://wiki.archlinux.org/index.php/Systemd-resolved
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867 - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
- request for strict DOT: https://github.com/systemd/systemd/issues/10755 - request for strict DoT: https://github.com/systemd/systemd/issues/10755
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397 - vulnerable to MITM: https://github.com/systemd/systemd/issues/9397

2
etc/systemd/resolved.conf.d/unbound.conf
View File

@ -4,7 +4,7 @@ DNS=127.0.0.1
DNS=::1 DNS=::1
Domains=~. Domains=~.
# Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867) # Done better by Unbound, no failed-auxiliary (https://github.com/systemd/systemd/issues/9867)
DNSSEC=no #DNSSEC=no
# Not needed on localhost # Not needed on localhost
DNSOverTLS=no DNSOverTLS=no
# Done by Unbound # Done by Unbound