On Do, 16.04.20 17:14, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > > I don't think we can reliably determine whether people have deployed > > things in a way that relies on /etc/resolv.conf only listing a fully > > blown DNS server or who are fine with it being a more restricted stub > > like systemd-resolved. > > Unfortunately, I see something similar to what Tom Hughes reported > earlier: dig +dnssec responses are not even correctly formatted. The CD > query flag is not handled, either. The AD bit is not set on validated > responses. I also see some really strange stability issues. It seems > that resolved is incorrectly blacklisting upstream servers with an > incompatible-server error after a validation failure. Again, we do not support DNSSEC from client to the stub. If you set CD we'll return NOTIMP as rcode, indicating that. We do not implement a full DNS server, but just enough for local stub clients (such as the one implemented in glibc or Java) to work. If you want the full DNSSEC client stuff, talk directly to the upstream DNS server. We set AD only if we managed to authenticate ourselves, which can either be via DNSSEC if that's enabled to the upstream DNS server. We also set it for hosts we read from /etc/hosts (i.e. a source owned by root). If you saw incompatible server this looks like you left DNSSEC on between resolved and upstream DNS server? Again, this is not what we intend to do in Fedora. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
