Control: tags -1 wontfix Control: close -1 On Tue, 22 Aug 2023 11:04:22 +0200 Michael Biebl <[email protected]> wrote: > Am 19.03.23 um 12:53 schrieb Bastian Blank: > > Upstream changed the default for the DNSSEC option to "allow- downgrade" > > and that is whats everywhere is documented. Debian overrides it to > > "no". > > See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996 > > Both, Ubuntu and Fedora, which use resolved more extensively, have > disabled DNSSEC by default, since it caused too many issues. > > If the situation has significantly nowadays, I can't tell, but it would > probably be a good idea to get input from those downstreams.
dnssec is way too flaky as a concept to enable by default, it breaks just too often due to the random variance in the quality of service provided by default dns servers you get from random ISPs around the world, and it's really difficult to debug due to this inherently local variance. Hence it's disabled by default, intentionally - one can always trivially enable it locally if their ISP/choice of DNS is known to behave reasonably well. But it would cause too many unactionable bug reports to enable by default distro-wide I'm afraid, hence closing. -- Kind regards, Luca Boccassi
signature.asc
Description: This is a digitally signed message part

