systemd-resolve-daemon

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		 Previous revision
systemd-resolve-daemon [2026-04-16T15:09:41Z] – created joestr1systemd-resolve-daemon [2026-05-10T08:34:54Z] (current) – use delegation signer (DS) instead of DNSKEY joestr1
Line 19: Line 19:
 The section ''eth0'' refers to a configuration used for that particular interface. The section ''eth0'' refers to a configuration used for that particular interface.
  
 +Now we configure our resolver for eth0:
  
 +  # Fill with public resolvers (Tier 2 server) or 127.0.0.1 and ::1 if your machine is a resolver itself
 +  resolvectl dns eth0 <OpenNIC Resolver IP address> [<OpenNIC Resolver IP address> ...]
 +  resolvectl dnssec eth0 yes
 +  resolvectl dnsovertls eth0 yes
 +  resolvectl domain eth0 ""
 +
 +For DNSSEC to work we have to give systemd a little help, since the root zone is not signed with IANA keys.
 +
 +  mkdir -p /etc/dnssec-trust-anchors.d/
 +  
 +Get the DS record for the DNSKEY for the "." root zone:
 +
 +  dig @195.201.99.61 . DNSKEY | dnssec-dsfromkey -2 -f - . > /etc/dnssec-trust-anchors.d/opennic.positive
 +
 +Now restart the resolver:
 +
 +  systemctl restart systemd-resolved.service
 +
 +After this, we can resolve a query with DNSSEC and DoT:
 +
 +  root@korridor:~# resolvectl query cloudflare.com
 +  cloudflare.com: 104.16.132.229                 -- link: eth0
 +                  104.16.133.229                 -- link: eth0
 +                  2606:4700::6810:84e5           -- link: eth0
 +                  2606:4700::6810:85e5           -- link: eth0
 +  
 +  -- Information acquired via protocol DNS in 3.3ms.
 +  -- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
 +  -- Data from: network
  • /wiki/data/attic/systemd-resolve-daemon.1776352181.txt.gz
  • Last modified: 9 weeks ago
  • by joestr1