From d5922ff2b891d0a24030b84147ad61dce4185bd1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 9 Nov 2023 11:38:28 +0100 Subject: [PATCH] fix: disable DNSSEC for now because of an issue in MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit systemd https://github.com/systemd/systemd/issues/10579 Without this change, there are random SERVFAIL responses with Greenbaum DNS when using allow-downgrade. Fixes DNS queries for lev-1.int.greenbaum.zone ❯ dig obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ; <<>> DiG 9.18.19 <<>> obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1871 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. IN A ;; ANSWER SECTION: obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone. 22 IN A 192.168.128.82 ;; Query time: 105 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Thu Nov 09 10:38:02 UTC 2023 ;; MSG SIZE rcvd: 121 --- modules/networking.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/networking.nix b/modules/networking.nix index 5b879b8..44cf17c 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -27,11 +27,14 @@ services.resolved = { enable = true; + # DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS + # when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579 extraConfig = '' DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net Domains=~. DNSOverTLS=yes + DNSSEC=false ''; }; }