On Sat, May 02, 2020 at 05:28:48PM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > On Tue, Apr 21, 2020 at 07:26:08PM +0200, Florian Weimer wrote:
> >> * Rich Felker:
> >>
> >> >> I'm excited that Fedora plans to add a local caching resolver by
> >> >> default.  It will help with a lot of these issues.
> >> >
> >> > That's great news! Will it be DNSSEC-enforcing by default?
> >>
> >> No.  It is currently not even DNSSEC-aware, in the sense that you
> >> can't get any DNSSEC data from it.  That's the sad part.
> >
> > That's really disappointing. Why? Both systemd-resolved and dnsmasq,
> > the two reasonable (well, reasonable for distros using systemd already
> > in the systemd-resolved case :) options for this, support DNSSEC fully
> > as I understand it. Is it just being turned off by default because of
> > risk of breaking things, or is some other implementation that lacks
> > DNSSEC being used?
>
> It's systemd-resolved.  As far as I can tell, it does not provide
> DNSSEC data on the DNS client interface.

According to this it does:

https://wiki.archlinux.org/index.php/Systemd-resolved#DNSSEC

However it's subject to downgrade attacks unless you edit a config
file. Note that the example shows:

    ....
    -- Data is authenticated: yes

so it looks like it's setting the AD bit like it should.