Provide option to disable DNSSEC in resolved

[nkasco]

What do you need?

Recent changes to systemd-resolved changed default behavior of the DNSSEC setting to be enabled by default, for me this broke my Unifi DNS config (couldn't resolve A records from my internal DNS)

This is discussed here:

• https://bbs.archlinux.org/viewtopic.php?id=308364
• https://gitlab.archlinux.org/archlinux/packaging/packages/systemd/-/issues/57

It took me a while to find the root cause for this since it wasn't caused by Omarchy, but since this is an opinionated distro I think it would make sense to either disable it by default or provide a setting toggle for it with some minor guidance.

Necessary resultant change config:

• Add to /etc/systemd/resolved.conf: DNSSEC=no
• Ensure this isn't overwritten in any migrations
• Provide a menu option when selecting a custom DNS (i.e. Does your DNS support DNSSEC? (A records may not resolve properly if not))

[iamenderst]

Don't edit that file, create a drop-in inside /etc/systemd/resolved.conf.d/ with that option to make it persistent.

[sgruendel]

Same for me, could no longer ping or ssh to my pi-hole server "minis12" using the name, just the IP address, also FQDN "minis12.fritz.box" didn't work. I also have a laptop running Omarchy that I didn't update yet to the new resolved, if I do "resolvectl status" it shows DNSSEC=no/unsupported for all interfaces. Got it working again as @iamenderst suggested, I suppose we should generally create that drop-in file to restore the old behavior, especially as they state in https://wiki.archlinux.org/title/Systemd-resolved#DNSSEC that "DNSSEC support in systemd-resolved is considered experimental and incomplete as of Jun 2023."