On 04. 06. 22 12:09, Peter Boy wrote:
Is there anywhere a kind of a list to said set of problems? Dnsmasq is currently the only tool that provides seamless split DNS in all (or at least very many) circumstances. So I’m going to change our Fedora Server documentation to recommend (and describe) set set up dnsmasq.
The problem with dnsmasq is it has just single upstream maintainer.
Adding new features takes time and they are also not well tested. But as
its maintainer I think it works much better than resolved. But admit it
has much worse runtime reconfiguration interface, but capable to do what
is required.
That may be true for enterprise usage. For the large number of private stand alone server or SME servers DNSSEC is not more important as for desktops.
Depends. Servers often produce much more queries, which would have
higher impact if cache were poisoned. DNSSEC protects against that.
Unlike weird networks laptop can be connected to, which does not pass
required DNSSEC records, data centers usually provide perfect service
including fully working DNSSEC. There should not be often reason to turn
it off.
And split DNS is especially necessary when a server does host libvirt/KVM VMs. In order to address its VMs (e.g. monitoring tools or forwarding services) the host must query the libvirt dnsmasq instance. This is broken since F34/F35 with systemd-resolved. The only reliable way i know of is a second dnsmasq instance, most easily as NM plugin.
I have just started discussion about this topic in our internal
tech-list. I think there should be common interface for services, which
provide any kind of network with dynamic dns to integrate subdomain into
main host cache. Whether you use dnsmasq, unbound, systemd-resolved or
knot-resolver, it should not matter how well itegrated they can be. If
the server has runtime reconfiguration ability, there should be common
way how it would allow subdomain redirection. If you use both podman and
libvirt, they should be able to access each other via names. But that
would be for entirely different thread.
So we need a way to configure DNS resolution based on custom needs in every single case, at least until systemd-resolved has resolved all the issues (it is a very nice and elegant solution, I think)
Wouldn’t be systemd-resolvd in enabled or disabled state a valid indicator what a sysadmin want’s to use and whether to replace a resolv.conf file by a symbolic link or vice versa?
--
Peter Boy
https://fedoraproject.org/wiki/User:Pboy
pboy@xxxxxxxxxxxxxxxxx
Timezone: CET (UTC+1) / CEST (UTC+2)
Fedora Server Edition Working Group member
Fedora docs team contributor
Java developer and enthusiast
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I have filled attempt to improve situation with /etc/resolv.conf
ownership in PR [1], but it were not accepted well. I think resolved
takes over /etc/resolv.conf even in case where it should not. If you
disable systemd-resolved, it leaves your system without working
resolution. Even reboot would not fix it automatically. It is fine to
have /etc/resolv.conf missing in some cases, but that is not supported
by resolved.
1. https://github.com/systemd/systemd/pull/21317
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
