| 10 Jul 2025 |
 emily | that would (sorry) break resolved with DNSSEC | 14:25:24 |
 hexa (clat on linux when) | but then I found people used dnscrypt2-proxy and other weird stuff | 14:25:28 |
| emily | dnscrypt-proxy2 doesn't do DNSSEC validation | 14:25:42 |
| hexa (clat on linux when) | resolved is fucked for this use case, I don't care 🙂 | 14:25:47 |
| emily | I think it'll pass on the bit from the upstream resolver and that's all | 14:25:52 |
| emily | I don't really think asserting on dynamic network conditions is something a module should be doing at all tbh. if the software absolutely needs the DNSSEC validation bit in responses it should be checking for it itself | 14:26:32 |
| hexa (clat on linux when) | oh, it does | 14:27:32 |
| hexa (clat on linux when) | the software is postfix for example | 14:27:36 |
| hexa (clat on linux when) | postfix/smtp[2110025]: warning: DNSSEC validation may be unavailable
postfix/smtp[2110025]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
| 14:28:05 |
| hexa (clat on linux when) | that's what you get with resolved fwiw | 14:28:10 |
 K900 | Then just let it fail IMO | 14:28:15 |
| hexa (clat on linux when) | Redacted or Malformed Event | 14:29:59 |
| emily | can't shift everything left :) | 14:37:18 |
| K900 | shift everything left :)can't | 14:42:45 |
