ops/nixos/common: disable DNSSEC in systemd-resolved

It's super broken.

At the moment, resolving foss.heptapod.net breaks, because clever-cloud.com has
DNSKEY records but there's no matching DS record at .com for it.

There are also other reports: https://github.com/systemd/systemd/issues/12388

tl;dr: it just doesn't work, let's not use that.
This commit is contained in:
Luke Granger-Brown 2022-01-08 12:09:26 +00:00
parent 506a584dea
commit 05be94e4d7

View file

@ -76,6 +76,7 @@ in
services.resolved = {
enable = true;
llmnr = "false"; # LLMNR breaks search domains.
dnssec = "false"; # DNSSEC support in systemd-resolved is just broken.
domains = config.networking.search;
extraConfig = ''
# For global search domains to work, we also need global DNS servers.