On Wed, Apr 15, 2020 at 10:48 am, Florian Weimer <fweimer@xxxxxxxxxx>
wrote:
The second Kubernetes issue I worry about [1] is that the CoreDNS name
server is installed first, and it does additional rule-based
processing
for in-cluster names. External DNS servers are listed later.
Parallel
queries and random server selection could bypass the CoreDNS service
for
queries that need to be handled by it.
Hm, CoreDNS might need to construct its own nss module, or you might
need to use /etc/resolv.conf in "mode 1" or "mode 3" described by
Lennart. (Or disable systemd-resolved, but that shouldn't be
necessary.) We'll default to Lennart's "mode 2" so it sounds like that
might be a problem indeed.
Does OpenVPN log the list of these domains somewhere? Or do they have
to be configured manually?
This managed by NetworkManager and systemd-resolved. You can inspect
with 'resolvectl status'. I don't think OpenVPN knows anything about it.
Ugh. That will have to be fixed, otherwise it will break DANE/TLSA
and
other DNSSEC-mandatory functionality on upgrades: the system used to
have a DNSSEC-clean path to the outside world, and after the switch to
systemd-resolved, it won't.
I think that, if you need DNSSEC, you will just need to enable it
manually. I think >99% of users won't need to do this, and it's a
one-line config file change for power users who do need it, just edit
/etc/systemd/resolved.conf and then restart systemd-resolved service.
Problem is that DNSSEC is just not safe to enable by default. :(
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
