DNSSEC and NTP

Published Apr 21, 2025

systemd-resolved allows for DoT (DNS over TLS) querying. It also supports DNSSEC. The problem with DNSSEC is that it requires the system time to be at least somewhat in sync, or else the DNSSEC certificates will be invalid. A problem then arises when trying to sync the time automatically, since querying NTP servers requires working DNS. The solution is just to disable DNSSEC, sync time, and then re-enable DNSSEC.

Tip

Query the logs of systemd-resolved by running sudo journalctl -xeu systemd-resolved.