On Thu, Jun 02, 2016 at 11:26:17PM +0200, Martin Pitt wrote:
> Hello Stéphane,
>
> to conclude the lose end of this thread..
>
> Stéphane Graber [2016-05-31 15:52 -0400]:
> > > > 1) Does resolved now support split DNS support?
> > > > That is, can Network Manager instruct it that only *.example.com
> > > > should be sent to the DNS servers provided by a given VPN?
> > >
> > > resolved has a D-Bus API SetLinkDomains(), similar in spirit to
> > > dnsmasq. However, NM does not yet know about this, and only indirectly
> > > talks to resolved via writing /etc/resolv.conf (again indirectly via
> > > resolvconf). So the functionality on the resolved is there, but we
> > > don't use it yet. This is being tracked in the blueprint.
> >
> > Ok and does it support configuring this per-domain thing through
> > configuration files?
> >
> > That's needed so that LXC, LXD, libvirt, ... can ship a file defining a
> > domain for their bridge which is then forwarded to their dnsmasq
> > instance.
>
> In my other reply I said that resolved doesn't have this kind of
> fine-grained configuration files, as it mostly expects network
> management software to tell it about these things. But what you *can*
> do is to use networkd for this:
>
> $ cat /lib/systemd/network/lxdbr0.network
> [Match]
> Name=lxdbr0
>
> [Network]
> DNS=127.0.0.1
> Domains= ~lxd
>
> With this, networkd won't actually set up the bridge (as there is no
> DCHP=, Address=, corresponding .netdev etc.), but as soon as it comes
> up via auto-activation of lxd-bridge.service, it will poke that
> information into resolved (via the above SetLinkDomains() call). I
> just tested that in a VM, and it does what you expect.
>
> The main drawback is that you need to start systemd-networkd.service
> for this (at least as a Requires= of lxd-bridge.service). Now, on
> server/cloud we want to move to networkd anyway, but on a desktop we'd
> usually only have NetworkManager running. So this overhead would
> mainly be justified if you would consider replacing lxd-bridge.service
> by a "full" networkd config, i. e. let the above file actually set up
> and configure the full bridge (But this doesn't go that well with the
> existing /etc/default/lxd-bridge format).
>
> If using a configuration *file* is not a tight requirement, but you
> only actually care about this working OOTB, then a less intrusive
> approach might be to just add a dbus-send/gdbus/busctl ExecStartPost=
> to lxd-bridge.service that does the SetLinkDomains() call.
>
> I initially thought about lxd just dropping a resolvconf hook, but
> that doesn't work I think: /etc/resolv.conf has no syntax for
> domain-specific DNS servers, so we need to use a richer API like
> dnsmasq or resolved for these.
>
> Would either approach work for you, or do we need something different?
We'd probably do it through dbus-send then in the bridge configuration script.
Does the resolved configuration persists? That is, if resolved gets a
package update and is restarted, will it loose the information it knows
about .lxd, .lxc, .libvirt, ...?
>
> Thanks,
>
> Martin
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
