Enabling DNSSEC on systemd-resolved is quite easy.
First, let’s go in /etc/systemd/resolved.conf.d/main.conf and add/modify the file like so:
[Resolve]
DNSSEC=true
Code language: JavaScript (javascript)For good measure, you can also enable DoT (DNS Over TLS) in there, which you can use with something like DNS0.
Restart systemd-resolved using systemctl restart systemd-resolved and voilà.
Now, if you type something like resolvectl query j4.lc, you should get an answer like so:
j4.lc: 95.217.179.88 -- link: enp6s0
2a12:4946:9900:f00::f00 -- link: enp6s0
-- Information acquired via protocol DNS in 141.7ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: network
Code language: CSS (css)On the contrary, if you try to query a domain which has an invalid signature, for instance with resolvectl query badsig.go.dnscheck.tools, you will get:
badsig.go.dnscheck.tools: resolve call failed: All attempts to contact name servers or networks failed
Code language: CSS (css)Do note some domains might stop resolving because of this, in which case, contact their admin so they can correct the issue.
Also, on my side, resolution hangs rather than displaying a proper error, which seems to be something like this bug (or maybe another, haven’t looked too much into this yet) on the systemd issue tracker.