V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -245,9 +245,11 @@ find /usr/lib/live/boot -type f -exec chmod 0755 {} +
   && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
 ### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/networkd.conf.d
+mkdir -p /etc/systemd/resolved.conf.d
+mkdir -p /etc/systemd/system
 mkdir -p /etc/systemd/system/multi-user.target.wants
 mkdir -p /etc/systemd/system/sockets.target.wants
-mkdir -p /etc/systemd/system
 
 ### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
 apt-get -y purge ifupdown || true
@@ -275,6 +277,20 @@ EOF
 
 ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
 
+cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
+[Resolve]
+DNSOverTLS=opportunistic
+DNSSEC=yes
+LLMNR=no
+MulticastDNS=no
+EOF
+
+cat << EOF >| /etc/systemd/networkd.conf.d/10-ciss-hardening.conf
+[Network]
+LLMNR=no
+MulticastDNS=no
+EOF
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0