Comment 0 for bug 1624071

The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow.

The following syntax would preserve the fallback in the case that systemd-resolved is not running at all, but allow systemd-resolved to fail lookups that should fail when it is running:

hosts: files resolve [!TRYAGAIN=return] dns