No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <[email protected]> a écrit : >Then dont use systemd to do that. There many other methods/tools to >achieve having it. > >Marius Bakke: >> Julien Lepiller <[email protected]> skriver: >> >>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari ><[email protected]> a écrit : >>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote: >>>>> Scanning Guix website gave many missing security features which >>>> modern >>>>> security needs them to be available: >>>>> >>>>> * TLS and DNS: >>>>> >>>>> looking at: >>>>> >>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751 >>>>> >>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org >>>> >>>> Thanks! >>>> >>>>> - DNS: DNSSEC support missing (important) >>>> >>>> Hm, is it important? My impression is that it's an idea whose time >has >>>> passed without significant adoption. >>>> >>>> But maybe we could enable it if the costs are not too great. >>> >>> gnu.org does not have dnssec, so we'd need them to work on that >first. >> >> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN >> on machines with systemd-resolved: >> >> https://github.com/systemd/systemd/issues/9867 >>
