If the server configured DNSSEC in a bad way then for surely it wont
work and thats what happened with gnu.org if you read this ticket:
https://github.com/systemd/systemd/issues/9867
This ticket show clearly that the operators of gnu.org didnt fix their
bad DNSSEC configuration despite being pointed out to them.
https://danwin1210.me
e.g This domain use DNSSEC where is the problem connecting to it?
Julien Lepiller:
No, resolved is on the client side. This means that they managed to set up
dnssec, but some clients who use systemd (most Linux users) can't connect to
gnu.org domains anymore. I don't think this is acceptable :)
Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <[email protected]> a écrit :
Then dont use systemd to do that. There many other methods/tools to
achieve having it.
Marius Bakke:
Julien Lepiller <[email protected]> skriver:
Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
<[email protected]> a écrit :
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
Scanning Guix website gave many missing security features which
modern
security needs them to be available:
* TLS and DNS:
looking at:
https://www.hardenize.com/report/guix.gnu.org/1618568751
https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
Thanks!
- DNS: DNSSEC support missing (important)
Hm, is it important? My impression is that it's an idea whose time
has
passed without significant adoption.
But maybe we could enable it if the costs are not too great.
gnu.org does not have dnssec, so we'd need them to work on that
first.
gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:
https://github.com/systemd/systemd/issues/9867
