On Mon, Sep 28, 2020 at 01:45:02PM +0100, Tom Hughes wrote: > On 28/09/2020 12:47, Zbigniew Jędrzejewski-Szmek wrote: > > >You're mixing a few different things here. We decided to not enable > >DNSSEC in resolved with this change, at least initially. For most > >users, DNSSEC is problematic because various intermediary DNS servers > >found in hotspots and routers don't support DNSSEC properly, leading > >to hard-to-debug validation failures. DNSSEC support in resolved can > >be enabled through resolved.conf. This may be a reasonable thing to do in > >an environment where the configured dns servers are known to support dnssec > >properly. > > Well you're not just "not enabling it" really, for people like me that > have already made the switch to systemd-resolved (in large part in > search of better DNSSEC support) you're actually disabling it... > > Having as I said experienced the trauma of trying to get DNSSEC working > reliably I do understand how hard a problem is it however. I just need > to remember to start adding a dropin to enable it again ;-)
What was the setup you were using? If this is something that we can reliably detect, I think it it would make sense to adjust the scriptlet that enables systemd-resolved to print a hint about needing to set DNSSEC=yes. (Or maybe even set that itself?). Zbyszek _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
