From 05be94e4d7f4674520cae8d7e29612b9ffb58715 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Sat, 8 Jan 2022 12:09:26 +0000 Subject: [PATCH] ops/nixos/common: disable DNSSEC in systemd-resolved It's super broken. At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has DNSKEY records but there's no matching DS record at .com for it. There are also other reports: https://github.com/systemd/systemd/issues/12388 tl;dr: it just doesn't work, let's not use that. --- ops/nixos/lib/common.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 23b990e719..53b3f0cf54 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -76,6 +76,7 @@ in services.resolved = { enable = true; llmnr = "false"; # LLMNR breaks search domains. + dnssec = "false"; # DNSSEC support in systemd-resolved is just broken. domains = config.networking.search; extraConfig = '' # For global search domains to work, we also need global DNS servers.