Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc/network/resolved: Add disabling DNSSEC and DNSOverTLS #1328

Merged
merged 1 commit into from
Oct 23, 2024
Merged

doc/network/resolved: Add disabling DNSSEC and DNSOverTLS #1328

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 16 additions & 4 deletions doc/howto/network_bridge_resolved.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,6 @@ To do so, add the DNS servers and domains provided by an Incus network bridge to

```{note}
The `dns.mode` option (see {ref}`network-bridge-options`) must be set to `managed` or `dynamic` if you want to use this feature.

Depending on the configured `dns.domain`, you might need to disable DNSSEC in `resolved` to allow for DNS resolution.
This can be done through the `DNSSEC` option in `resolved.conf`.
```

(network-bridge-resolved-configure)=
Expand Down Expand Up @@ -47,16 +44,29 @@ The `~` tells `resolved` to use the respective name server to look up only this
Depending on which shell you use, you might need to include the DNS domain in quotes to prevent the `~` from being expanded.
```

DNSSEC and DNS over TLS
: The `incus` DNS server does not support DNSSEC or DNS over TLS.

Depending on your resolved configuration the configuration will fail as
the server does not support DNSSEC or DNS over TLS.

To disable both only for the bridge, use the following commands:

resolvectl dnssec <network_bridge> off
resolvectl dnsovertls <network_bridge> off

For example:

resolvectl dns incusbr0 192.0.2.10
resolvectl domain incusbr0 '~incus'
resolvectl dnssec incusbr0 off
resolvectl dnsovertls incusbr0 off

```{note}
Alternatively, you can use the `systemd-resolve` command.
This command has been deprecated in newer releases of `systemd`, but it is still provided for backwards compatibility.

systemd-resolve --interface <network_bridge> --set-domain ~<dns_domain> --set-dns <dns_address>
systemd-resolve --interface <network_bridge> --set-domain ~<dns_domain> --set-dns <dns_address> --set-dnsovertls=off --set-dnssec=off
```

The `resolved` configuration persists as long as the bridge exists.
Expand All @@ -78,6 +88,8 @@ After=sys-subsystem-net-devices-<network_bridge>.device
Type=oneshot
ExecStart=/usr/bin/resolvectl dns <network_bridge> <dns_address>
ExecStart=/usr/bin/resolvectl domain <network_bridge> ~<dns_domain>
ExecStart=/usr/bin/resolvectl dnssec <network_bridge> off
ExecStart=/usr/bin/resolvectl dnsovertls <network_bridge> off
ExecStopPost=/usr/bin/resolvectl revert <network_bridge>
RemainAfterExit=yes

Expand Down
Loading