Set DNSSEC for specific interface

Ask Fedora
1

Fedora now uses systemd-resolved for name resolution, but still uses NetworkManager instead of systemd-networkd.

The man page of systemd-resolved states how to configure a per-link setting for systemd-resolved if systemd-networkd is used (i.e. create a file in /etc/systemd/network), but it does not specify how to configure a per-link setting when NetworkManager is used.

The DNS servers contacted are determined from the global settings in /etc/systemd/resolved.conf, the per-link static settings in /etc/systemd/network/*.network files (in case systemd-networkd.service(8) is used), the per-link dynamic settings received over
DHCP, information provided via resolvectl(1), and any DNS server information made available by other system services.

Without systemd-networkd, how can I configure systemd-resolved with DNSSEC=yes for one specific link, but not for the others? My VPN DNS server does not support DNSSEC so specifying DNSSEC=yes at the global level (i.e. in /etc/systemd/resolved.conf) breaks name resolution for my VPN. I’m not finding the relevant NetworkManager options nor DHCP options, if any.

1 Like
2 
sudo tee /etc/NetworkManager/dispatcher.d/dnssec.sh << "EOF" > /dev/null
#!/usr/bin/bash
if [ "${NM_DISPATCHER_ACTION}" = "up" ] \
&& [ "${CONNECTION_ID}" = "CONNECTION_NAME" ]
then resolvectl dnssec ${DEVICE_IP_IFACE} no
fi
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/dnssec.sh

NetworkManager-dispatcher: NetworkManager Reference Manual

2 Likes
3

Thank you. It seems like there should be an easier way but it works!

4

I have asked to be able to set this in Network Manager. But that request were closed, no-one got to implement that. [RFE] Ability to set DNSSEC validation setting per connection (#1099) · Issues · NetworkManager / NetworkManager · GitLab

1 Like