I can’t get DNSSEC configured correctly

I wanted to use DNSSEC and systemd-resolved, so I added this to my NixOS config:

{ pkgs, lib, config, ... }: {
  services.resolved = {
    enable = true;
    dnssec = "true";
  networking.nameservers = [ "" "" "2606:4700:4700::1111" "2606:4700:4700::1001" ];

But it doesn’t seem to actually enable DNSSEC.
When I run systemd-resolve google.com, I get this:

google.com:                                 -- link: wlp7s0
            2a00:1450:4001:809::200e                        -- link: wlp7s0

-- Information acquired via protocol DNS in 69.0ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

The part

Data is authenticated: no; Data was acquired via local or encrypted transport: no

makes me suspicious.

Here’s the generated /etc/resolv.conf:

nameserver 127.██████████████
options edns0 trust-ad
search fritz.box

And here’s the output of systemd-resolve --status:

           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server:
         DNS Servers: 2606:4700:4700::1111 2606:4700:4700::1001
Fallback DNS Servers:

Link 2 (enp8s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 3 (wlp7s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.██████████████
       DNS Servers: 192.██████████████ fd00██████████████
        DNS Domain: fritz.box

google.com is not dnssec-signed, so I wouldn’t expect that to work. Try with e.g. verisign.com?

1 Like

Oh. I thought most major websites were. Thanks!

Masking and your local private IPs ( is not really necessary. I could have the exact same ones.

Also FYI resolved handles issues with DNSSEC really poorly and caused me baby problems in the last weeks.

I can’t believe google.com doesn’t use it… i wonder why (performance? breaks to many things?).

a rather up front web site for checking dns sec! …