From 67134682d9848c02629c7eeb2ce15f205b1a0f12 Mon Sep 17 00:00:00 2001
From: Alexander Heldt <me@alexanderheldt.se>
Date: Sun, 19 Oct 2025 14:39:05 +0200
Subject: [PATCH] pinwheel: Disable `resolved.dnssec`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As it breaks tailscale <-> openvpn

> At the time of September 2023, systemd upstream advise to disable DNSSEC
> by default as the current code is not robust enough to deal with
> “in the wild” non-compliant servers, which will usually give you a
> broken bad experience in addition of insecure.
---
 hosts/pinwheel/modules/openvpn/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/pinwheel/modules/openvpn/default.nix b/hosts/pinwheel/modules/openvpn/default.nix
index 79377d3..4522c2e 100644
--- a/hosts/pinwheel/modules/openvpn/default.nix
+++ b/hosts/pinwheel/modules/openvpn/default.nix
@@ -23,7 +23,7 @@ in
 
     services.resolved = {
       enable = true;
-      dnssec = "true";
+      dnssec = "false";
       domains = [ "~." ];
       fallbackDns = [
         "1.1.1.1#one.one.one.one"