On 9/28/20 11:03 AM, Lennart Poettering wrote: > I have the strong suspicion that the same people who are > able to deploy working DNSSEC client side and are educated enough in > DNSSEC to know what that even means are also capable of replacing that > one symlink in /etc.
i'll start with: i'm generally a huge use-systemd-*-whenever-possible bigot. aka, NOT an anti-systemd'er. but, this^ comment, though likely _true_, causes concern for those of us out here, in the peanut gallery. <peanut-gallery hat>on</peanut-gallery hat> as Paul Wouters has repeatedly pointed out ... others' use cases are not mine. and statements such as "It's easy to do using resolvectl" make me ... antsy. forcing use of, or switching by (coming) default, to solutions that cause significant breakage to working systems, is bad news. whether or not that breakage can be 'easily' worked around. easy != zero effort / zero cost. my typical 'small-office install' includes local split-horizon bind9 implementation, as well as instances of both NSD4/Unbound, multiple VPN links, and varied routing for IPv4 & IPv6 dns queries, as well as general & specific traffic. internal services/capabilities include mail, DNSSEC and instances of secure DNS (DoT/DoH), geoIP, etc etc. 'large-office' installs are correspondingly _more_ 'convoluted'. that said, it all works. well. (my) users see/use a static /etc/resolv.conf, with, generally, a single nameserver entry. recent experiments (on F32, admittedly -- *not* yet F33) with NetworkManager &/or systemd-resolved here were nightmarish; a seemingly endless array of 'gotchas' ... after trying, and failing, to chase down & completely resolve all the problems, the functional solution i landed on was (1) disable NetworkManager everywhere (yes, causes some current pain with laptops) (2) enable/deploy systemd-networkd everywhere (3) disable systemd-resolved everywhere; reset to own-managed, /etc/resolv.conf (4) disabled DoH settings in all Firefox instances it all works, again. if/until a 'forced switch', &/or new default, works in _our_ use cases -- regardless of whether or not they fit into _others_ limited views -- then that^^ is my default. here's hoping that turning "it" all OFF, without breaking 'the rest' of systemd*, or F33+, remains functionally doable ... <peanut-gallery hat>off</peanut-gallery hat> _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
