From 76100ad8e3d55c23e6f29fb80c7c5c5437dc6194 Mon Sep 17 00:00:00 2001 From: YellowJacketLinux Date: Sat, 12 Oct 2024 12:57:39 -0700 Subject: [PATCH] adjust doc, minor script adjustments --- .gitignore | 1 + CH9Config/01-NetworkConfig.sh | 2 +- CH9Config/{01-USBFlash.sh => 99-USBFlash.sh} | 0 SECURE_DNS.md | 23 ++++++++++++++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) rename CH9Config/{01-USBFlash.sh => 99-USBFlash.sh} (100%) diff --git a/.gitignore b/.gitignore index e1aadeb..c7d444a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ incoming/ +*.bak diff --git a/CH9Config/01-NetworkConfig.sh b/CH9Config/01-NetworkConfig.sh index 80748f1..a9dec07 100644 --- a/CH9Config/01-NetworkConfig.sh +++ b/CH9Config/01-NetworkConfig.sh @@ -47,6 +47,6 @@ EOF else # bootable USB thumb drive echo "lfsusb" > /etc/hostname - #systemctl disable systemd-networkd-wait-online + systemctl disable systemd-networkd-wait-online systemctl disable systemd-networkd fi diff --git a/CH9Config/01-USBFlash.sh b/CH9Config/99-USBFlash.sh similarity index 100% rename from CH9Config/01-USBFlash.sh rename to CH9Config/99-USBFlash.sh diff --git a/SECURE_DNS.md b/SECURE_DNS.md index 3ac4456..190a955 100644 --- a/SECURE_DNS.md +++ b/SECURE_DNS.md @@ -184,6 +184,29 @@ When I am confident that `systemd-resolved` works well and smoothly in DNSSEC enforcing mode, that will be the enabled default. I will *not* enable DoT by default but users will be told how to enable it in opportunistic mode. +It appears that the default at compile time is `DNSSEC=allow-downgrade` and I +probably should leave that simply because a lot of people now look at man pages +online even when the man page is available locally, so to have a different +compile-time default could cause confusion. + +However the file `/etc/system.d/resolved.conf` could be created by default to +override some compile time defaults, as the man page specifies that file as a +place to look. + +What I would like to see happen is `DNSSEC=yes` set in that file, and the Google +public DNS servers set as the backup DNS servers. The default DNS servers would +still be retrieved from DHCP (or manually configured by the user) and in the +event that the DNS server retrieved from DHCP does not support DHCP, the +`systemd-resolved` service would failover to using the Google public DNS servers +rather than downgrading DNSSEC support. + +There may be some networks where the DNS server assigned by the DHCP server does +not support DNSSEC *and* the network blocks DNS requests outside the network. In +such cases, DNS resolution would be broken but *hopefully* the user could then +configure `DNSSEC=allow-downgrade` for that connection which, if WiFi, hopefully +could be done by SSID so that `DNSSEC=allow-downgrade` only applies to that +SSID. + Until `systemd-resolved` works well and smoothly in DNSSEC enforcing mode, I will disable it by default. Users who want it of course can enable it. I really do not want YJL to be a distribution that pushes technology not quite ready for