Public bug reported:

Back in December, the default for systemd-resolved caching in Ubuntu
systemd was changed to "no-negative" from the upstream default "yes" [0]

In this change, the default value in the resolved.conf file was missed.
As the defaults in this file are commented, the effective default is
still "no-negative", however when viewing the config file, the commented
default "yes" is at odds with the man page resolved.conf(5), which
correctly states the default as "no-negative".

This was an issue for me as I set DNSSEC to "yes", and expected Caching
to also be "yes". Running DNSSEC with the default "no-negative" Caching
is detrimental to performance resolving unsigned zones, as the non-
existence of DNSSEC RRs must be looked up every time.

The issue with the intersection of DNSSEC and Caching is for upstream,
but the least that needs to be done here is updating the resolved.conf
template with "Caching=no-negative" to match the man page and behaviour,
and perhaps even adding a note to the "DNSSEC=" section of
resolved.conf(5) that Caching should be enabled. Now that I'm looking at
that man page, the default for DNSSEC is also listed as "allow-
downgrade", whereas the default for Ubuntu is "no".

[0] https://git.launchpad.net/~ubuntu-core-
dev/ubuntu/+source/systemd/commit/?id=b42658843a9496d6b6bb68ac159f2a9f0a8ba9db&h
=ubuntu-focal

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1895418

Title:
  systemd-resolved default config for Caching is still "yes"

Status in systemd package in Ubuntu:
  New

Bug description:
  Back in December, the default for systemd-resolved caching in Ubuntu
  systemd was changed to "no-negative" from the upstream default "yes"
  [0]

  In this change, the default value in the resolved.conf file was
  missed. As the defaults in this file are commented, the effective
  default is still "no-negative", however when viewing the config file,
  the commented default "yes" is at odds with the man page
  resolved.conf(5), which correctly states the default as "no-negative".

  This was an issue for me as I set DNSSEC to "yes", and expected
  Caching to also be "yes". Running DNSSEC with the default "no-
  negative" Caching is detrimental to performance resolving unsigned
  zones, as the non-existence of DNSSEC RRs must be looked up every
  time.

  The issue with the intersection of DNSSEC and Caching is for upstream,
  but the least that needs to be done here is updating the resolved.conf
  template with "Caching=no-negative" to match the man page and
  behaviour, and perhaps even adding a note to the "DNSSEC=" section of
  resolved.conf(5) that Caching should be enabled. Now that I'm looking
  at that man page, the default for DNSSEC is also listed as "allow-
  downgrade", whereas the default for Ubuntu is "no".

  [0] https://git.launchpad.net/~ubuntu-core-
  
dev/ubuntu/+source/systemd/commit/?id=b42658843a9496d6b6bb68ac159f2a9f0a8ba9db&h
  =ubuntu-focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1895418/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to