I have it running on few machines with no issues so far.
Announcement
Collapse
No announcement yet.
Fedora 33 To Stick With systemd-resolved Following Last Minute Concerns
Collapse
X
-
Originally posted by You- View Post
I think it is that:
1. It doesnt support DOH yet. DOT is also off by default.
2. Old DNSSEC behaviour was to pass through all information even if DNSSEC validation failed (with the hope that the application will atleast consider the failures). Now it is off by default as that is considered broken behaviour.
There are a few others who disliked the default configuration, but those are mostly preferences as opposed to issues.
2. Yeah, this is the reason I said "pretty much all" instead of "all" common cases, because I got bit too in the past by this issue. I do know though that it's already been fixed since at least 5-6 months ago. And also, like DOH & DOT, I don't really consider DNSSEC a very common use case for the average desktop user (though much more common than DOH & DOT).
- Likes 1
Comment
-
Originally posted by You- View PostI think the old behaviour of ignoring security faoilures was troublesome.
The whole idea of things like DNSSEC is to inform you of the issues. IMO ignoring the failures gives a false sense of security.
I upgraded to F33 beta, and my config was not auto-migrated to systemd-resolved, possibly because NM was already managing resolv.conf via symlink. I manually migrated, using the stub-resolve.conf symlink. Everything worked fine with the stock config.
Proper split DNS with VPN works, which is very nice, especially since I'm working from home regularly.
Enabling opportunistic DoT worked without issue (my local network DNS server doesn't have a valid certificate, so DoT isn't used, so the fallback to plain dns works as expected).
Enabling DNSSEC worked, as my local network DNS server supports it. It also entirely broke DNS resolution for a chunk of my personal domain on my internal network. My domain is signed publicly, but I override some of those values with local addresses on my router, which obviously fails DNSSEC. I'd expect these to fail, and it's a sign I should get off my butt and improve my setup. However, I can see why some people think this behaviour is broken.
I also changed my FallbackDNS settings to use CIRA DNS servers. This change is reflected in `resolvectl status`, although hasn't taken effect due to DNS settings being received via DHCP on the network.
- Likes 2
Comment
-
Originally posted by arQon View PostYou'd hope that by now systemd-resolved would actually, you know, work properly - but you'd be naive to expect any bugs to ever get fixed, unless they affect Pottering personally.
- Likes 3
Comment
-
Originally posted by pal666 View Postwho are they? ubuntu who pushed it long ago?
I'm not against systemd-resolved, I switched to it months ago (or 2 years ago?) and have been happily using it ever since.
Comment
-
Comments have focused on the problems with systemd-resolved without identifying benefits.
Okay, I will ask the dumb questions. While I have been using Fedora as primary since FC1 (actually since RH7.x) I am a complete idiot when it comes to DNS. Indeed, I had no idea that systemd-resolved was already installed on F32. I am configuring systems today comparably to what I did 21 years ago. This old dog is resistant to new tricks.
I have always used Bind (named) as a caching name server. Same for servers running CentOS. Moreover, I have no clue regarding dnsmasq.
Presumably systemd-resolved would replace Bind (right?). Is there any reason to make a change?
Comment
-
Originally posted by sandy8925 View PostThey means Fedora here. Fedora is trying to make it the default, and it seems some people are facing issues compared to whatever was there before. If there are just a few things to fix, they should fix those before stable release.
Comment
Comment