Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Do, 16.04.20 12:46, Florian Weimer (fweimer@xxxxxxxxxx) wrote:

> * Lennart Poettering:
>
> > Long story short: if you experienced issues with DNSSEC on with
> > resolved today, then be assured that with DNSSEC off things are much
> > much better, and that's how we'd ship it in Fedora if it becomes the
> > default.
>
> Would you please clarify what switching DNSSEC off means?  Just no
> validation, or no DNSSEC support at all?

It means we'd not attempt to validate DNS response we get with DNSSEC
and just trust them blindly, i.e. like this always worked.

It would still be compiled in, and be opt-in. And it works fine with a
well-behaving uptsream DNS servers, but given that so many public
networks I know have no well behaved upstream DNS servers it would be
opt-in.

> I'm worried that the following scenario will break: A Fedora system on a
> uses a DNSSEC-capable resolver (validating or not) and performs its own
> DNSSEC validation, using data obtained by contacting the name servers in
> /etc/resolv.conf.  (/etc/resolv.conf is managed by NetworkManager or
> cloud-init in this scenario.)

So, yes, if you attempt to use a client-side validating resolver
against resolved's DNS stub you will not be happy. But you'll get a
clean error back, and you will find something about it in syslog. it's
not ideal, but it's usually OK. i.e. It's going to be like you talk to
a DNS server that simply cannot do DNSSEC, except better, because you
get helpful logging in syslog.

If you want a client-side validating resolver to work you need to
bypass resolved, for example using the DNS server data in
/run/systemd/resolve/resolv.conf. Or by using 8.8.8.8 or so directly...

> Since /etc/resolv.conf is already managed, I expect that after the
> upgrade, systemd-resolved will be active, with the same upstream
> recursive resolvers as before.  The new /etc/resolv.conf contents will
> point to the local systemd-resolved DNS service, though.

Exactly.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux