I can’t get DNSSEC configured correctly

I wanted to use DNSSEC and systemd-resolved, so I added this to my NixOS config:

{ pkgs, lib, config, ... }: {
  services.resolved = {
    enable = true;
    dnssec = "true";
  };
  networking.nameservers = [ "1.1.1.1" "1.0.0.1" "2606:4700:4700::1111" "2606:4700:4700::1001" ];
}

But it doesn’t seem to actually enable DNSSEC.
When I run systemd-resolve google.com, I get this:

google.com: 142.250.184.206                                 -- link: wlp7s0
            2a00:1450:4001:809::200e                        -- link: wlp7s0

-- Information acquired via protocol DNS in 69.0ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

The part

Data is authenticated: no; Data was acquired via local or encrypted transport: no

makes me suspicious.

Here’s the generated /etc/resolv.conf:

nameserver 127.██████████████
options edns0 trust-ad
search fritz.box

And here’s the output of systemd-resolve --status:

Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported
    resolv.conf mode: stub
  Current DNS Server: 1.1.1.1
         DNS Servers: 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google
                      1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google
                      2606:4700:4700::1111#cloudflare-dns.com
                      2001:4860:4860::8888#dns.google
                      2606:4700:4700::1001#cloudflare-dns.com
                      2001:4860:4860::8844#dns.google

Link 2 (enp8s0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 3 (wlp7s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.██████████████
       DNS Servers: 192.██████████████ fd00██████████████
        DNS Domain: fritz.box

google.com is not dnssec-signed, so I wouldn’t expect that to work. Try with e.g. verisign.com?

1 Like

Oh. I thought most major websites were. Thanks!

Masking 127.0.0.53 and your local private IPs (192.168.178.1) is not really necessary. I could have the exact same ones.

Also FYI resolved handles issues with DNSSEC really poorly and caused me baby problems in the last weeks.

I can’t believe google.com doesn’t use it… i wonder why (performance? breaks to many things?).

a rather up front web site for checking dns sec! …