You are not logged in.

#1 2020-03-25 06:31:20

dtjohnst
Member
Registered: 2007-03-01
Posts: 85

[Solved] DNSSEC default

In regards to DNSSEC, systemd-networkd documentation says:

Defaults to false. This setting is read by systemd-resolved.service(8).

https://www.freedesktop.org/software/sy … twork.html

But then systemd-resolved documentation in regards to DNSSEC says:

Defaults to "allow-downgrade"

https://www.freedesktop.org/software/sy … .conf.html

So... systemd-networkd defaults DNSSEC to false, which is read by systemd-resolved but systemd-resolved sets it to allow-downgrade by default regardless?

A follow-up, which I can test myself easily and plan to but will ask anyway in case someone has already checked, if I set DNSSEC=false in my .network file, does systemd-resolved obey that, or does it also apply it's default DNSSEC of allow-downgrade so I still have to specify i in my resolved.conf?

Last edited by dtjohnst (2020-03-27 03:01:50)

Offline

#2 2020-03-26 11:27:10

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] DNSSEC default

man resolved.conf wrote:

In addition to this global DNSSEC setting systemd-networkd.service(8) also maintains per-link DNSSEC settings. For system DNS servers (see above), only the global DNSSEC setting is in effect. For per-link DNS servers the per-link setting is in effect, unless it is unset in which case the global setting is used instead.

Offline

#3 2020-03-26 12:22:48

dtjohnst
Member
Registered: 2007-03-01
Posts: 85

Re: [Solved] DNSSEC default

Confusion persists. Let me attempt to summarize that paragraph of technical writing:

A .network file contains per link settings, resolved.conf contains global ones. In the case of per link DNS configurations, when DNSSEC is unset in the network file the global setting is used. Is my summary correct?

Last edited by dtjohnst (2020-03-26 12:23:36)

Offline

#4 2020-03-26 12:32:27

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] DNSSEC default

That is my understanding for per link DNS servers.  For system DNS servers the global ones in resolved are used.

Offline

#5 2020-03-26 13:23:31

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,679
Website

Re: [Solved] DNSSEC default

dtjohnst wrote:

when DNSSEC is unset in the network file the global setting is used. Is my summary correct?

That's right, yes.

From my system with DNSSEC enabled in the .network files but left as the default in /etc/systemd/resolved.conf:

empty@E485:~ $ resolvectl dnssec --no-p                                                  
Global: allow-downgrade
Link 3 (wlp3s0): yes
Link 2 (enp2s0): yes
empty@E485:~ $

With the DNSSEC options commented-out in the .network files:

empty@E485:~ $ resolvectl dnssec --no-p                                                  
Global: allow-downgrade
Link 3 (wlp3s0): allow-downgrade
Link 2 (enp2s0): allow-downgrade
empty@E485:~ $

And finally with DNSSEC enabled in resolved.conf but commented-out in the .network files:

empty@E485:~ $ resolvectl dnssec --no-p                                                  
Global: yes
Link 3 (wlp3s0): yes
Link 2 (enp2s0): yes
empty@E485:~ $

Offline

#6 2020-03-27 03:01:36

dtjohnst
Member
Registered: 2007-03-01
Posts: 85

Re: [Solved] DNSSEC default

Head_on_a_Stick examples illustrate my point: the "defaults to false" for network files is never used. It defaults to whatever the global setting is. Thanks for the clarification.

Offline

#7 2020-03-27 19:33:06

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] DNSSEC default

Head_on_a_Stick did the network files contain Domains entries or have DNSDefaultRoute set?

Offline

#8 2020-03-27 19:55:50

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,679
Website

Re: [Solved] DNSSEC default

^ No, they did not.

dtjohnst wrote:

the "defaults to false" for network files is never used. It defaults to whatever the global setting is

Note that it is possible for systemd-networkd to be used without systemd-resolved.

Offline

#9 2020-03-27 20:07:14

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: [Solved] DNSSEC default

The DNS servers were configured in the .network files or resolved.conf?

Offline

#10 2020-03-27 20:23:49

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,679
Website

Re: [Solved] DNSSEC default

Both, actually. I also have UseDNS=false to stop my router from being used as the nameserver.

Offline

#11 2020-03-30 05:27:40

dtjohnst
Member
Registered: 2007-03-01
Posts: 85

Re: [Solved] DNSSEC default

I know systemd-networkd can be used without systemd-resolved. But based on:

This setting is read by systemd-resolved.service(8).

I took that to me only systemd-resolved cares about this setting.

Still seems odd to me that a global setting has one default and the per-link has a contradictory setting. Surely whatever is the recommended setting is recommended. I don't know enough about the subject to understand the nuance though. In any case, questions related to my specific setup are answered. Thanks.

Last edited by dtjohnst (2020-03-30 05:30:24)

Offline

Board footer

Powered by FluxBB