diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-09-19 06:01:00 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-19 06:01:00 +0000 |
commit | 3245a21e716da07d541cbc5aa488f8806d159e74 (patch) | |
tree | 29e19a1dfc00b8e1c72995d858f2292902e9b96d /nixos/modules/system | |
parent | e68e375a72417b2d1648b1c746dd71414a5e2608 (diff) | |
parent | 835736de35faba3e57a7a4becc6b7e472ae72317 (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 6 | ||||
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 8 |
2 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index dc3fe163116e1..06c329e006b84 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -351,6 +351,12 @@ let new_response="$(ykchalresp -${toString dev.yubikey.slot} -x $new_challenge 2>/dev/null)" + if [ -z "$new_response" ]; then + echo "Warning: Unable to generate new challenge response, current challenge persists!" + umount /crypt-storage + return + fi + if [ ! -z "$k_user" ]; then new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString dev.yubikey.keyLength} $new_iterations $new_response | rbtohex)" else diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 4e7201833db6b..b898a63179624 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -66,7 +66,7 @@ in }; services.resolved.dnssec = mkOption { - default = "allow-downgrade"; + default = "false"; example = "true"; type = types.enum [ "true" "allow-downgrade" "false" ]; description = lib.mdDoc '' @@ -85,6 +85,12 @@ in synthesizing a DNS response that suggests DNSSEC was not supported. - `"false"`: DNS lookups are not DNSSEC validated. + + At the time of September 2023, systemd upstream advise + to disable DNSSEC by default as the current code + is not robust enough to deal with "in the wild" non-compliant + servers, which will usually give you a broken bad experience + in addition of insecure. ''; }; |