This setting is read by systemd-resolved.service(8).
I took that to me only systemd-resolved cares about this setting.
Still seems odd to me that a global setting has one default and the per-link has a contradictory setting. Surely whatever is the recommended setting is recommended. I don't know enough about the subject to understand the nuance though. In any case, questions related to my specific setup are answered. Thanks.
]]>the "defaults to false" for network files is never used. It defaults to whatever the global setting is
Note that it is possible for systemd-networkd to be used without systemd-resolved.
]]>when DNSSEC is unset in the network file the global setting is used. Is my summary correct?
That's right, yes.
From my system with DNSSEC enabled in the .network files but left as the default in /etc/systemd/resolved.conf:
empty@E485:~ $ resolvectl dnssec --no-p
Global: allow-downgrade
Link 3 (wlp3s0): yes
Link 2 (enp2s0): yes
empty@E485:~ $
With the DNSSEC options commented-out in the .network files:
empty@E485:~ $ resolvectl dnssec --no-p
Global: allow-downgrade
Link 3 (wlp3s0): allow-downgrade
Link 2 (enp2s0): allow-downgrade
empty@E485:~ $
And finally with DNSSEC enabled in resolved.conf but commented-out in the .network files:
empty@E485:~ $ resolvectl dnssec --no-p
Global: yes
Link 3 (wlp3s0): yes
Link 2 (enp2s0): yes
empty@E485:~ $
A .network file contains per link settings, resolved.conf contains global ones. In the case of per link DNS configurations, when DNSSEC is unset in the network file the global setting is used. Is my summary correct?
]]>]]>In addition to this global DNSSEC setting systemd-networkd.service(8) also maintains per-link DNSSEC settings. For system DNS servers (see above), only the global DNSSEC setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.
Defaults to false. This setting is read by systemd-resolved.service(8).
https://www.freedesktop.org/software/sy … twork.html
But then systemd-resolved documentation in regards to DNSSEC says:
Defaults to "allow-downgrade"
https://www.freedesktop.org/software/sy … .conf.html
So... systemd-networkd defaults DNSSEC to false, which is read by systemd-resolved but systemd-resolved sets it to allow-downgrade by default regardless?
A follow-up, which I can test myself easily and plan to but will ask anyway in case someone has already checked, if I set DNSSEC=false in my .network file, does systemd-resolved obey that, or does it also apply it's default DNSSEC of allow-downgrade so I still have to specify i in my resolved.conf?
]]>