Hi, I've been slowly integrating systemd-resolved more and more into my setups, but I had always encountered stability issues whenever the upstream DNS resolver has some kind of DNSSEC support. Setting DNSSEC=true would result in periods of no name resolution at all, leaving it at the default `allow-downgrade` would have it work most of the time, though switching DNSSEC support on and off periodically, and sometimes not being able to resolve a query that should have resolved. The troubles seem to occur whenever the upstream DNS cannot resolve a query, but for legitimate reasons. For example, the resolver is a recursive one and the authoritative nameservers for the queried zones return SERVFAIL. The resolver passes that SERVFAIL down to systemd- resolved, which seems to take it as a sign that the upstream does not support DNSSEC, and turns the feature off. If DNSSEC=true, the resolver is then blacklisted for the duration of the grace period, if DNSSEC=allow-downgrade the feature set is reduced. Looking through the bug reports, I got the impression that the DNSSEC support of systemd-resolved (or at least it's DNSSEC detection support) was simply in a bad shape and needed a rewrite, which was what lead me to disable it. But now Fedora has brought up the proposal to switch to systemd- resolved by default, though with DNSSEC disabled by default. In that discussion Lennart Poettering mentioned that the reasons for the instabilities observed with DNSSEC support turned on are to be found in the erratic behaviour of upstream DNS resolvers, and the efforts of systemd-resolved to detect this. (See https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/AFHNUEHKC5KJVGBGSJBH2BMESUAGDF4H/ ) Please don't take this the wrong way, but I am now wondering what the correct behaviour for an upstream DNS should be. I had tried unbound and dnsmasq in the past (of course with DNSSEC enabled and passing down the relevant RRs to resolved), and with both I encountered the instabilities. If you have a setup with systemd-resolved and DNSSEC enabled, can you tell me what the upstream DNS is running? I would like to know a "known-good" DNS server implementation, to see what it is doing different than my unbound/dnsmasq. Kind regards, Fabian Pack _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
"known-good" DNS servers for use with resolved and DNSSEC
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: "known-good" DNS servers for use with resolved and DNSSEC
- From: Fabian Bernhard Pack <gigadoc2@xxxxxxxxxx>
- Date: Thu, 16 Apr 2020 18:38:44 +0200
- Follow-Ups:
- Re: "known-good" DNS servers for use with resolved and DNSSEC
- From: Kevin P. Fleming
- Re: "known-good" DNS servers for use with resolved and DNSSEC
- Prev by Date: Re: os-release: extension to expose host's version variables to containers
- Next by Date: Re: networkd: IPv6 prefix delegation not updated when prefix changes
- Previous by thread: os-release: extension to expose host's version variables to containers
- Next by thread: Re: "known-good" DNS servers for use with resolved and DNSSEC
- Index(es):
 |