/ SysAdmin

Enable DNSSEC support in systemd-resolve

I'm currently running Ubuntu 18.04 and I noticed that by default I was using systemd-resolve for DNS:

stanislas@xps ~> cat /etc/resolv.conf 
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53

Most of the recent systemd distributions use it, Ubuntu does since 16.10. It has the same role as dnsmasq.

By playing around a bit with the service, I noticed DNSSEC checking was disabled:

stanislas@xps ~> systemd-resolve --status | grep DNSSEC
          DNSSEC NTA: 10.in-addr.arpa
      DNSSEC setting: no
    DNSSEC supported: no

It was confirmed by the config file:

stanislas@xps ~> grep DNSSEC /etc/systemd/resolved.conf 
#DNSSEC=

Which I modified to DNSSEC=yes.

After restarting the service, I was able to confirm that I was now verifying DNSSEC!

sudo systemctl restart systemd-resolved
stanislas@xps ~> systemd-resolve --status | grep DNSSEC
          DNSSEC NTA: 10.in-addr.arpa
      DNSSEC setting: yes
    DNSSEC supported: yes
stanislas@xps ~> dig www.dnssec-failed.org | grep status
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50750

screenshot_03-06-2018_17-01-11

Angristan

Angristan

I'm an 18 years old French sysadmin studying at a IT school and working for a web hosting company.

Read More
Enable DNSSEC support in systemd-resolve