On Saturday 07 October 2017 07:55 PM, James Valleroy wrote: [...] > There is an RFA (#805266) for libnss-gw-name. The current maintainer > mentions that systemd-resolved and libnss-resolve provide the same > functionality as libnss-gw-name. We should consider whether to switch > to these alternatives.
systemd-resolved's name resolution is quite well suited for FreedomBox's purposes and we are better of using it. The DNSSEC plan is not as great as unbound+NetworkManager combination. It works nicely with NetworkManager that we are using to configure network connections. I don't know how well it would sit with out plan of using bind as and authoritative server. Here are things I found: - Use systemd-resolved. This is already happening because vmdebootstrap enables both systemd-networkd and systemd-resolved unless --no-systemd-networkd is specific (which we are not doing). Daemon running is good for clients that talk native systemd-resolved protocol for making DNS queries. This means that some of the recent images that we have built should already be running systemd-resolved by default. However, we need to worry about people upgrading from an older version of FreedomBox. - systemd-resolved does not clash ports with bind9 that we have. Former listens on 127.0.0.53%lo:53 and latter on 127.0.0.1:53 and :::53 and apparently that is not a clash. I verify both to be working fine no matter which one starts first. - Make /etc/resolv.conf symlink to /run/systemd/resolved/resolv.conf. /etc/resolv.conf is useful for programs that use this file directly to make their DNS queries. Again vmdebootstrap does this for us during image build. This means that some of the recent images that we have built should already be using systemd-resolved via /etc/resolv.conf. Again we need think about people upgrading from older version of FreedomBox. - Make NetworkManager use systemd-resolved. This is necessary because when a connection is brought up and an upstream DHCP server provides a list of DNS servers, these must be used instead of whatever systemd-resolved is using. Likewise, they must be removed when a connection is down. In order to make this integration happen, we don't have do anything and things are already integrated. When NetworkManager configuratio of 'dns=' is not specified, and if /etc/resolv.conf is symlinked to use systemd-resolved, then NetworkManager automatically uses systemd-resovled. This means DNS servers from upstream DHCP servers are added and removed from systemd-resolved by NetworkManager. - Use libnss-resolve. We can add this as dependency and remove libnss-gw-name. This will edit the /etc/nsswitch.conf such that glibc based programs send DNS queries to systemd-resolved before even considering /etc/resolv.conf. This also proper DNSSEC if enabled. When systemd-resolved is not running, this does not cause a problem as nsswitch is configured to fallback to usual mechanism in such a scenario. libnss-resolve seems to enable systemd-resolved and make necessary changes to /etc/nsswitch.conf. - Deal with the problem of systemd-resolved not running in chroot and causing freedom-maker image build failures. vmdebootstrap incorrectly turns off predictable network names and systemd-resolved when --no-systemd-networkd is passed. Joseph and I are still facing this issue the related bug has been closed as non-reproducible. A workaround could be that we copy host /etc/resolv.conf to chroot /etc/resolv.conf temporarily and restore the symlink to /run/systemd/resolved/resolv.conf when we are done. Thanks, -- Sunil