* Lennart Poettering: > On Do, 16.04.20 12:49, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > >> As explained elsewhere, NetworkManager-openvpn extracts the search list >> from OpenVPN parameters, passes that to NetworkManager, which I expect >> will pass ito to systemd-resolved in the future. >> >> >> Ugh. That will have to be fixed, otherwise it will break DANE/TLSA >> >> and >> >> other DNSSEC-mandatory functionality on upgrades: the system used to >> >> have a DNSSEC-clean path to the outside world, and after the switch to >> >> systemd-resolved, it won't. >> > >> > I think that, if you need DNSSEC, you will just need to enable it >> > manually. I think >99% of users won't need to do this, and it's a >> > one-line config file change for power users who do need it, just edit >> > /etc/systemd/resolved.conf and then restart systemd-resolved >> > service. Problem is that DNSSEC is just not safe to enable by >> > default. :( >> >> See my message to Lennart about separate DO/CD query caching. >> >> My point is that these users *have* enabled DNSSEC in their >> infrastructure, and we break what they have during an update (assuming >> that DNSSEC=off means that systemd-resolved turns DNSSEC-unware, rather >> than just disabling validation). > > Maybe a safer bet might be to leave resolved off during upgrades on > the server edition? A Fedora upgrade can also mean reprovision from start via kickstart/ansible, so I assume that this isn't a proper mitigation, sorry. > I don't think we can reliably determine whether people have deployed > things in a way that relies on /etc/resolv.conf only listing a fully > blown DNS server or who are fine with it being a more restricted stub > like systemd-resolved. Unfortunately, I see something similar to what Tom Hughes reported earlier: dig +dnssec responses are not even correctly formatted. The CD query flag is not handled, either. The AD bit is not set on validated responses. I also see some really strange stability issues. It seems that resolved is incorrectly blacklisting upstream servers with an incompatible-server error after a validation failure. This is with systemd-245.4-1.fc33.x86_64 in rawhide. Is this approximately what will land in Fedora 33? Or is this old code, long replaced upstream? Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
