Bug#1033192: Acknowledgement (systemd-resolved - stub resolver does not provide AD by default)
Luca Boccassi
bluca at debian.org
Sun May 26 14:57:02 BST 2024
Control: tags -1 wontfix
Control: close -1
On Tue, 22 Aug 2023 11:04:22 +0200 Michael Biebl <biebl at debian.org>
wrote:
> Am 19.03.23 um 12:53 schrieb Bastian Blank:
> > Upstream changed the default for the DNSSEC option to "allow-
downgrade"
> > and that is whats everywhere is documented. Debian overrides it to
> > "no".
>
> See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996
>
> Both, Ubuntu and Fedora, which use resolved more extensively, have
> disabled DNSSEC by default, since it caused too many issues.
>
> If the situation has significantly nowadays, I can't tell, but it
would
> probably be a good idea to get input from those downstreams.
dnssec is way too flaky as a concept to enable by default, it breaks
just too often due to the random variance in the quality of service
provided by default dns servers you get from random ISPs around the
world, and it's really difficult to debug due to this inherently local
variance.
Hence it's disabled by default, intentionally - one can always
trivially enable it locally if their ISP/choice of DNS is known to
behave reasonably well. But it would cause too many unactionable bug
reports to enable by default distro-wide I'm afraid, hence closing.
--
Kind regards,
Luca Boccassi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20240526/fb2230bc/attachment-0001.sig>
More information about the Pkg-systemd-maintainers
mailing list