16 Apr
2020
16 Apr
'20
6:12 a.m.
On 16/04/2020 11:46, Florian Weimer wrote:
- Lennart Poettering:
Long story short: if you experienced issues with DNSSEC on with resolved today, then be assured that with DNSSEC off things are much much better, and that's how we'd ship it in Fedora if it becomes the default.
Would you please clarify what switching DNSSEC off means? Just no validation, or no DNSSEC support at all?
If I'm understanding what is expected correctly then it looks to me like it is actually broken regardless of whether or not DNSSEC is switched on...
Adding +dnssec to the dig flags results in some additional flags being set in the OPT section of the response but it does not cause RRSIG records to be returned and whether DNSSEC is on or off makes no difference to that.
Tom
--
Tom Hughes (tom@compton.nu)
http://compton.nu/