On Mon, Jun 06, 2016 at 03:17:51PM +0100, Robie Basak wrote: > There's a thread here on Ubuntu and systemd-resolved: > https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html > > It looks like there is some credible criticism here that is worth > considering.
They do have some very very good points, my main concerns after reading the e-mail above are: - Anything which doesn't use the C library resolving functions, which would include any static binary bundling its own copy of those, will fallback to /etc/resolv.conf and not get split DNS information or the desired fallback mechanism. This is likely to affect a whole bunch of Go binaries and similar statically built piece of software. It will also, probably more visible affect web browsers who have recently all switches to doing their own DNS resolving. - This breaks downstream DNSSEC validation. Mail servers and some web browsers require the ability to read the DNSSEC validation result from the DNS reply. Those therefore don't use the libc resolving functions and instead do the DNS request themselves, they'd then fall into the above problem where they'd use /etc/resolv.conf and miss any split DNS or similar configuration done inside resolved. - Some concerns about it broadcasting queries to all DNS servers rather than just the one it's supposed to use for a given domain. Hopefully this was just mis-configuration and not how resolved actually works, as this would be a pretty big privacy issue. - Not having resolved offer a DNS service itself means we can't properly daisy-chain our other DNS/DHCP servers like the dnsmasq instances we use for LXC, LXD and libvirt. That means that the containers and virtual machines will not be getting the same DNS view as the host, being only restricted to hitting the servers in the host /etc/resolv.conf without any awareness of split view DNS. Unless the above can be fixed somehow, and I very much doubt resolved will grow a DNS server any time soon, the switch to resolved mostly feels like a regression over the existing resolvconf+dnsmasq setup we've got right now and which in my experience at least, has been working pretty well for us. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel