No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)

Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od@riseup.net> a écrit :
Then dont use systemd to do that. There many other methods/tools to 
achieve having it.

Marius Bakke:
Julien Lepiller <julien@lepiller.eu> skriver:

Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
Scanning Guix website gave many missing security features which
modern
 security needs them to be available:

 * TLS and DNS:

 looking at:

 https://www.hardenize.com/report/guix.gnu.org/1618568751

 https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org

 Thanks!

- DNS: DNSSEC support missing (important)

 Hm, is it important? My impression is that it's an idea whose time has
 passed without significant adoption.

 But maybe we could enable it if the costs are not too great.

 gnu.org does not have dnssec, so we'd need them to work on that first.

gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
on machines with systemd-resolved:

   https://github.com/systemd/systemd/issues/9867