Re: Fedora 33 System-Wide Change proposal: systemd-resolved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Fri, Apr 17, 2020 at 8:34 AM Chris Adams <linux@xxxxxxxxxxx> wrote:
Once upon a time, Lennart Poettering <mzerqung@xxxxxxxxxxx> said:
> The DNS servers in edge routers are awful at supporting
> either. i.e. the DNS servers you usually get informed about in DHCP
> leases are typically too crap at supporting either kind of DNSSEC (and
> that for a reason actually, these devices generally define their own
> private, local DNS names (e.g. "fritz.box"), which couldn't possibly
> be validated with DNSSEC, because they are made up and local.)

That might be true if you are just considering residential users with
cheap gateways as your only use case (but even then, most of those run
dnsmasq, which has gotten a lot better).  However, there are lots of
other use cases.

> We
> intend to implement the "AD" stuff however correctly for this, but
> this isn't tested much since pretty much noone except for a few DNS
> devs actually set this, hence there might be issues, which might be
> what Florian found.

Advertising yourself as a "nameserver" in /etc/resolv.conf means you get
to handle all the requests, including the ones you didn't think about or
want to just dismiss as only of interest "a few DNS devs".  That's the
only standard way for software to find DNS servers to use for any
purpose.  Returning errors to clients for things you don't care about is
basically useless, because they have no other way to get that
information when actual DNS servers aren't in /etc/resolv.conf.

If systemd-resolved is not going to implement a standards-compliant DNS
server (and not just "we return errors to things we don't care about",
but actual current DNS standards), then it does not belong in
/etc/resolv.conf.  Listening on the system bus as an alternative, to
implment gethostbyname/getaddrinfo/etc., is fine, but don't pretend to
be an actual DNS server and go in /etc/resolv.conf.

I tend to agree.  Right now, a client-side resolving validator works on Fedora.  This change proposal breaks that.  Could resolved be extended to pass DNSSEC data through correctly so that client side validation will continue to work?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux