Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

* Michael Catanzaro:

> On Wed, Apr 15, 2020 at 10:48 am, Florian Weimer <fweimer@xxxxxxxxxx>
> wrote:
>> The second Kubernetes issue I worry about [1] is that the CoreDNS name
>> server is installed first, and it does additional rule-based
>> processing
>> for in-cluster names.  External DNS servers are listed later.
>> Parallel
>> queries and random server selection could bypass the CoreDNS service
>> for
>> queries that need to be handled by it.
>
> Hm, CoreDNS might need to construct its own nss module,

This is not possible.  You cannot realistically inject binary code into
the container (see the fun with GPU userspace driver parts).

> or you might need to use /etc/resolv.conf in "mode 1" or "mode 3"
> described by Lennart. (Or disable systemd-resolved, but that shouldn't
> be necessary.) We'll default to Lennart's "mode 2" so it sounds like
> that might be a problem indeed.

Yeah.

>> Does OpenVPN log the list of these domains somewhere?  Or do they have
>> to be configured manually?
>
> This managed by NetworkManager and systemd-resolved. You can inspect
> with 'resolvectl status'. I don't think OpenVPN knows anything about
> it.

As explained elsewhere, NetworkManager-openvpn extracts the search list
from OpenVPN parameters, passes that to NetworkManager, which I expect
will pass ito to systemd-resolved in the future.

>> Ugh.  That will have to be fixed, otherwise it will break DANE/TLSA
>> and
>> other DNSSEC-mandatory functionality on upgrades: the system used to
>> have a DNSSEC-clean path to the outside world, and after the switch to
>> systemd-resolved, it won't.
>
> I think that, if you need DNSSEC, you will just need to enable it
> manually. I think >99% of users won't need to do this, and it's a
> one-line config file change for power users who do need it, just edit
> /etc/systemd/resolved.conf and then restart systemd-resolved
> service. Problem is that DNSSEC is just not safe to enable by
> default. :(

See my message to Lennart about separate DO/CD query caching.

My point is that these users *have* enabled DNSSEC in their
infrastructure, and we break what they have during an update (assuming
that DNSSEC=off means that systemd-resolved turns DNSSEC-unware, rather
than just disabling validation).

Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux