* Lennart Poettering: > On Do, 16.04.20 17:14, Florian Weimer (fweimer@xxxxxxxxxx) wrote: > >> > I don't think we can reliably determine whether people have deployed >> > things in a way that relies on /etc/resolv.conf only listing a fully >> > blown DNS server or who are fine with it being a more restricted stub >> > like systemd-resolved. >> >> Unfortunately, I see something similar to what Tom Hughes reported >> earlier: dig +dnssec responses are not even correctly formatted. The CD >> query flag is not handled, either. The AD bit is not set on validated >> responses. I also see some really strange stability issues. It seems >> that resolved is incorrectly blacklisting upstream servers with an >> incompatible-server error after a validation failure. > > Again, we do not support DNSSEC from client to the stub. I don't think this change is ready for Fedora, then. > If you set CD we'll return NOTIMP as rcode, indicating that. We do not > implement a full DNS server, but just enough for local stub clients > (such as the one implemented in glibc or Java) to work. Sorry? RES_USE_DNSSEC is part of the glibc stub resolver. It does not work anymore. The libunbound validator is broken by this, too. > If you want the full DNSSEC client stuff, talk directly to the > upstream DNS server. How? The address is no longer in /etc/resolv.conf. According to the change proposal, this also endangers Denise, who relies on the request routing in systemd-resolved. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
