If set to
"true": all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations will fail."allow-downgrade": DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported."false": DNS lookups are not DNSSEC validated.
At the time of September 2023, systemd upstream advise to disable DNSSEC by default as the current code is not robust enough to deal with "in the wild" non-compliant servers, which will usually give you a broken bad experience in addition of insecure.
Declarations
Type
one of "true", "allow-downgrade", "false"Default
"false"Example
"true"