Announcement

Collapse
No announcement yet.

Fedora 33 To Stick With systemd-resolved Following Last Minute Concerns

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    I have it running on few machines with no issues so far.

    Comment


    • #12
      Originally posted by You- View Post

      I think it is that:

      1. It doesnt support DOH yet. DOT is also off by default.
      2. Old DNSSEC behaviour was to pass through all information even if DNSSEC validation failed (with the hope that the application will atleast consider the failures). Now it is off by default as that is considered broken behaviour.

      There are a few others who disliked the default configuration, but those are mostly preferences as opposed to issues.
      1. These are not features I would consider to be common use cases though. Secure DNS is still a rather new thing (as regards people actually using it, not the theory behind it) and IMHO system tools not properly supporting it yet should not be a cause for damning them.
      2. Yeah, this is the reason I said "pretty much all" instead of "all" common cases, because I got bit too in the past by this issue. I do know though that it's already been fixed since at least 5-6 months ago. And also, like DOH & DOT, I don't really consider DNSSEC a very common use case for the average desktop user (though much more common than DOH & DOT).

      Comment


      • #13
        I think the old behaviour of ignoring security faoilures was troublesome.

        The whole idea of things like DNSSEC is to inform you of the issues. IMO ignoring the failures gives a false sense of security.

        Comment


        • #14
          Originally posted by You- View Post
          I think the old behaviour of ignoring security faoilures was troublesome.

          The whole idea of things like DNSSEC is to inform you of the issues. IMO ignoring the failures gives a false sense of security.
          Agreed. If I configure my system to enable DNSSEC, I expect the system to do that. I don't want to have to update every piece of software (eg. msmtp, curl, etc) to perform that extra step, and optionally configure every piece of software to enable/disable that functionality.

          I upgraded to F33 beta, and my config was not auto-migrated to systemd-resolved, possibly because NM was already managing resolv.conf via symlink. I manually migrated, using the stub-resolve.conf symlink. Everything worked fine with the stock config.

          Proper split DNS with VPN works, which is very nice, especially since I'm working from home regularly.

          Enabling opportunistic DoT worked without issue (my local network DNS server doesn't have a valid certificate, so DoT isn't used, so the fallback to plain dns works as expected).

          Enabling DNSSEC worked, as my local network DNS server supports it. It also entirely broke DNS resolution for a chunk of my personal domain on my internal network. My domain is signed publicly, but I override some of those values with local addresses on my router, which obviously fails DNSSEC. I'd expect these to fail, and it's a sign I should get off my butt and improve my setup. However, I can see why some people think this behaviour is broken.

          I also changed my FallbackDNS settings to use CIRA DNS servers. This change is reflected in `resolvectl status`, although hasn't taken effect due to DNS settings being received via DHCP on the network.

          Comment


          • #15
            Originally posted by arQon View Post
            You'd hope that by now systemd-resolved would actually, you know, work properly - but you'd be naive to expect any bugs to ever get fixed, unless they affect Pottering personally.
            i see there's no hope for you to grow some brain and stop imagining pottering behind every corner

            Comment


            • #16
              Originally posted by sandy8925 View Post
              Hm, they should really fix those bugs before trying to push it through
              who are they? ubuntu who pushed it long ago?

              Comment


              • #17
                Originally posted by stiiixy View Post
                Wow. Doesn't happen to you so, therefore, the world doesn't exist.
                any proponent of broken glibc resolver should repeat this mantra in front of mirror several times every morning

                Comment


                • #18
                  Originally posted by pal666 View Post
                  who are they? ubuntu who pushed it long ago?
                  They means Fedora here. Fedora is trying to make it the default, and it seems some people are facing issues compared to whatever was there before. If there are just a few things to fix, they should fix those before stable release.

                  I'm not against systemd-resolved, I switched to it months ago (or 2 years ago?) and have been happily using it ever since.

                  Comment


                  • #19
                    Comments have focused on the problems with systemd-resolved without identifying benefits.

                    Okay, I will ask the dumb questions. While I have been using Fedora as primary since FC1 (actually since RH7.x) I am a complete idiot when it comes to DNS. Indeed, I had no idea that systemd-resolved was already installed on F32. I am configuring systems today comparably to what I did 21 years ago. This old dog is resistant to new tricks.

                    I have always used Bind (named) as a caching name server. Same for servers running CentOS. Moreover, I have no clue regarding dnsmasq.

                    Presumably systemd-resolved would replace Bind (right?). Is there any reason to make a change?

                    Comment


                    • #20
                      Originally posted by sandy8925 View Post
                      They means Fedora here. Fedora is trying to make it the default, and it seems some people are facing issues compared to whatever was there before. If there are just a few things to fix, they should fix those before stable release.
                      i missed your explanation how ubuntu fixed those issues before making it default in 2016 lts release

                      Comment

                      Working...
                      X