Tuesday, 7 June 2016

Re: ANN: DNS resolver changes in yakkety

Stéphane Graber [2016-06-07 12:22 -0400]:
> So, minus the security problems that have been mentioned so far, I can't
> think of any major problems with using resolved on servers.

It would be as you said that some Go programs and python-dns don't use
NSS and thus won't respect per-domain DNS servers (nor mdns, or
nss-ldap, nss-winbind, nss-mymachines, etc.)

> We'll definitely want to make sure that it doesn't start in containers
> by default as that'd significantly increase the process count for no
> good reason on systems with hundreds or thousands of containers.

Yes, simple enough to add ConditionVirtualization=!lxc to resolved or

> And it'd be nice if there was a way to only have resolved run when we
> have multiple DNS servers as otherwise, with caching disabled (and I
> suspect we will turn it off), it'd just make things slower.

It still provides DNSSEC validation, if only in "allow downgrade" mode
for now (we have to start slow). And there's no problem in caching

> Yeah, we certainly don't want dnsmasq running on servers.

So if we can't use resolved because of Go programs, and shouldn't use
dnsmasq (or similar DNS servers) on servers, then what *should* we use
on servers then?

> And so long as having a common solution can be done without regressions
> and without hand wavy answers like "web browsers will just have to
> switch to some new systemd DBUS API", I don't mind the change.

Oh, come on.. NSS is neither a systemd API nor is it "new" in any
sense of the word.. it's decades old, and with not doing it you have a
lot of other breakage/restrictions. But, as Go is apparently our new
hotness, we have to live with it I guess.

> In order to reach your goal without breaking anything, I suspect we'd
> either need to have resolved offer a local DNS server which can be put
> ahead of everything else in /etc/resolv.conf, similar to what we do with
> dnsmasq.

Turning resolved into a DNS server (which it doesn't aim/want to be)
would be rather pointless IMHO. Then we can just as well use dnsmasq
everywhere, I see little point in having two different solutions on
desktop/server. Are there any objections to that? (It makes using
networkd significantly harder, but we can patch this in principle)


Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)