From: Tom Hughes <tom@compton.nu>
Date: Sun, 9 Mar 2025 14:29:41 +0000 (+0000)
Subject: Disable DNSSEC validation in systemd-resolved
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/d5fde42b2c21b8559d5dc5e6c31a4750e2069177

Disable DNSSEC validation in systemd-resolved
---

diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb
index 7ff93c365..06511d462 100644
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -9,7 +9,7 @@ default[:networking][:firewall][:allowlist] = []
 default[:networking][:interfaces] = {}
 default[:networking][:nameservers] = %w[8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844]
 default[:networking][:search] = []
-default[:networking][:dnssec] = "allow-downgrade"
+default[:networking][:dnssec] = "false"
 default[:networking][:hostname] = node.name
 default[:networking][:wireguard][:enabled] = true
 default[:networking][:wireguard][:keepalive] = 180