The primary purpose of adding to resolv.conf is for client
software that wants to do DNS resolution by itself instead of using NSS
-- most notable example is Google Chrome, and third-party software which
is statically linked (e. g. Go).

However, other software like NetworkManager or isc-dhcp also calls
resolvconf and adds name servers picked up by them -- as they don't talk
to resolved directly, resolved reads their DNS servers *from*

But, software which does its own DNS lookups like the above have to do
their own DNSSEC validation too -- you can't both chose to *not* use NSS
*and* rely on NSS to do DNSSEC for you..

So, this is indeed a wart, but not easily fixed, and also not that
important IMHO. Not using NSS is already broken to some degree, as you
also ignore things like nss-{winbind,docker,ldap} etc.

** Changed in: systemd (Ubuntu)
       Status: New => Triaged

** Changed in: systemd (Ubuntu)
   Importance: Undecided => Low

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.

  systemd-resolved appends to resolv.conf alongside existing

Status in systemd package in Ubuntu:

Bug description:
  systemd-resolved, or more precisely the hook script
  /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf, causes
  resolvconf to add to the set of nameservers in
  /etc/resolv.conf alongside the other nameservers.  That makes no sense
  because systemd-resolved sets up as a proxy for those other
  nameservers.  The effect is similar to bug 1624071 but for
  applications doing their own DNS lookups.  It breaks any DNSSEC
  validation that systemd-resolved tries to do; applications will
  failover to the other nameservers, bypassing validation failures.  And
  it makes failing queries take twice as long.

  /etc/resolv.conf should have only when systemd-resolved is

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to