[dns-operations] More DNSSEC validators to expect

Jan Včelak jan.vcelak at nic.cz
Tue May 24 08:22:45 UTC 2016

>> New version of Linux' systemd has DNSEC validation enabled by default:
>> http://news.softpedia.com/news/systemd-230-launches-with-dnssec-enabled-by-default-in-systemd-resolved-more-504339.shtml
> Which sends out all application queries over all interfaces to all
> DNS servers, and uses the first answer that comes back irrespective of
> DNSSEC status.

Let's call it "Opportunistic DNSSEC".

I wonder what is the purpose of DNSSEC=allow-downgrade. Maybe just to
verify that DNSSEC=true is a bad default in many networks and therefore
a bad default for regular users.

I really like this effort of systemd-resolved. But I think that
something similar to dnssec-trigger will be needed in the foreseeable
future anyway.


More information about the dns-operations mailing list