I have a working-well configuration using PowerDNS Recursive Resolver (running locally in my network, not provided by my ISP or anyone upstream). On Thu, Apr 16, 2020 at 12:46 PM Fabian Bernhard Pack <gigadoc2@xxxxxxxxxx> wrote: > > Hi, > > I've been slowly integrating systemd-resolved more and more into my > setups, but I had always encountered stability issues whenever the > upstream DNS resolver has some kind of DNSSEC support. Setting > DNSSEC=true would result in periods of no name resolution at all, > leaving it at the default `allow-downgrade` would have it work most of > the time, though switching DNSSEC support on and off periodically, and > sometimes not being able to resolve a query that should have resolved. > > The troubles seem to occur whenever the upstream DNS cannot resolve a > query, but for legitimate reasons. For example, the resolver is a > recursive one and the authoritative nameservers for the queried zones > return SERVFAIL. The resolver passes that SERVFAIL down to systemd- > resolved, which seems to take it as a sign that the upstream does not > support DNSSEC, and turns the feature off. If DNSSEC=true, the resolver > is then blacklisted for the duration of the grace period, if > DNSSEC=allow-downgrade the feature set is reduced. > > Looking through the bug reports, I got the impression that the DNSSEC > support of systemd-resolved (or at least it's DNSSEC detection support) > was simply in a bad shape and needed a rewrite, which was what lead me > to disable it. > But now Fedora has brought up the proposal to switch to systemd- > resolved by default, though with DNSSEC disabled by default. In that > discussion Lennart Poettering mentioned that the reasons for the > instabilities observed with DNSSEC support turned on are to be found in > the erratic behaviour of upstream DNS resolvers, and the efforts of > systemd-resolved to detect this. > (See > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/AFHNUEHKC5KJVGBGSJBH2BMESUAGDF4H/ > ) > > Please don't take this the wrong way, but I am now wondering what the > correct behaviour for an upstream DNS should be. I had tried unbound > and dnsmasq in the past (of course with DNSSEC enabled and passing down > the relevant RRs to resolved), and with both I encountered the > instabilities. > If you have a setup with systemd-resolved and DNSSEC enabled, can you > tell me what the upstream DNS is running? I would like to know a > "known-good" DNS server implementation, to see what it is doing > different than my unbound/dnsmasq. > > Kind regards, > Fabian Pack > > > _______________________________________________ > systemd-devel mailing list > systemd-devel@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: "known-good" DNS servers for use with resolved and DNSSEC
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: "known-good" DNS servers for use with resolved and DNSSEC
- From: "Kevin P. Fleming" <kevin@xxxxxxx>
- Date: Thu, 16 Apr 2020 14:00:33 -0400
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <48335bcb1fbd93d3ad930a97bb5b30caf6e81d4c.camel@revreso.de>
- References: <48335bcb1fbd93d3ad930a97bb5b30caf6e81d4c.camel@revreso.de>
- References:
- "known-good" DNS servers for use with resolved and DNSSEC
- From: Fabian Bernhard Pack
- "known-good" DNS servers for use with resolved and DNSSEC
- Prev by Date: Re: networkd: IPv6 prefix delegation not updated when prefix changes
- Next by Date: Re: Systemd-resolved: --set-domains limited to 32 domains
- Previous by thread: "known-good" DNS servers for use with resolved and DNSSEC
- Next by thread: Fwd: systemd for petitboot as linux payload (x230)
- Index(es):
 |