On Do, 16.04.20 12:46, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > * Lennart Poettering: > > > Long story short: if you experienced issues with DNSSEC on with > > resolved today, then be assured that with DNSSEC off things are much > > much better, and that's how we'd ship it in Fedora if it becomes the > > default. > > Would you please clarify what switching DNSSEC off means? Just no > validation, or no DNSSEC support at all? It means we'd not attempt to validate DNS response we get with DNSSEC and just trust them blindly, i.e. like this always worked. It would still be compiled in, and be opt-in. And it works fine with a well-behaving uptsream DNS servers, but given that so many public networks I know have no well behaved upstream DNS servers it would be opt-in. > I'm worried that the following scenario will break: A Fedora system on a > uses a DNSSEC-capable resolver (validating or not) and performs its own > DNSSEC validation, using data obtained by contacting the name servers in > /etc/resolv.conf. (/etc/resolv.conf is managed by NetworkManager or > cloud-init in this scenario.) So, yes, if you attempt to use a client-side validating resolver against resolved's DNS stub you will not be happy. But you'll get a clean error back, and you will find something about it in syslog. it's not ideal, but it's usually OK. i.e. It's going to be like you talk to a DNS server that simply cannot do DNSSEC, except better, because you get helpful logging in syslog. If you want a client-side validating resolver to work you need to bypass resolved, for example using the DNS server data in /run/systemd/resolve/resolv.conf. Or by using 8.8.8.8 or so directly... > Since /etc/resolv.conf is already managed, I expect that after the > upgrade, systemd-resolved will be active, with the same upstream > recursive resolvers as before. The new /etc/resolv.conf contents will > point to the local systemd-resolved DNS service, though. Exactly. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx