Monday, 6 June 2016

Re: ANN: DNS resolver changes in yakkety

On Mon, Jun 06, 2016 at 03:17:51PM +0100, Robie Basak wrote:
> There's a thread here on Ubuntu and systemd-resolved:
> It looks like there is some credible criticism here that is worth
> considering.

They do have some very very good points, my main concerns after reading
the e-mail above are:

- Anything which doesn't use the C library resolving functions, which
would include any static binary bundling its own copy of those, will
fallback to /etc/resolv.conf and not get split DNS information or the
desired fallback mechanism.

This is likely to affect a whole bunch of Go binaries and similar
statically built piece of software. It will also, probably more visible
affect web browsers who have recently all switches to doing their own
DNS resolving.

- This breaks downstream DNSSEC validation. Mail servers and some web
browsers require the ability to read the DNSSEC validation result from
the DNS reply. Those therefore don't use the libc resolving functions
and instead do the DNS request themselves, they'd then fall into the
above problem where they'd use /etc/resolv.conf and miss any split DNS
or similar configuration done inside resolved.

- Some concerns about it broadcasting queries to all DNS servers rather
than just the one it's supposed to use for a given domain. Hopefully
this was just mis-configuration and not how resolved actually works, as
this would be a pretty big privacy issue.

- Not having resolved offer a DNS service itself means we can't
properly daisy-chain our other DNS/DHCP servers like the dnsmasq
instances we use for LXC, LXD and libvirt. That means that the
containers and virtual machines will not be getting the same DNS view as
the host, being only restricted to hitting the servers in the host
/etc/resolv.conf without any awareness of split view DNS.

Unless the above can be fixed somehow, and I very much doubt resolved
will grow a DNS server any time soon, the switch to resolved mostly
feels like a regression over the existing resolvconf+dnsmasq setup we've
got right now and which in my experience at least, has been working
pretty well for us.

Stéphane Graber
Ubuntu developer