DNS resolution outside NSS shouldn’t be dismissed as an edge case for
software that’s too conceited to use NSS.  NSS only exposes A, AAAA, and
PTR records.  There’s plenty of software in the official archive that
needs other records from DNS (off the top of my head: SRV, TXT, MX,
SSHFP, AFSDB) and cannot get them from NSS.

> resolved reads their DNS servers *from* resolv.conf.

Right, so perhaps when resolvconf is in use, systemd-resolved should
read those from /run/resolvconf/resolv.conf directly, and
/etc/resolv.conf should be a symlink to /lib/systemd/resolv.conf rather
than /run/resolvconf/resolv.conf?

> you can't both chose to *not* use NSS *and* rely on NSS to do DNSSEC
for you.

Why not?  It was working with NetworkManager managing a dnsmasq, since
NetworkManager installed the local proxy as the only nameserver visible
in resolv.conf, and it would work again if systemd-resolved did the

This will also be needed to fix problems like
https://github.com/systemd/systemd/issues/3421 for programs that cannot
use NSS.

** Bug watch added: github.com/systemd/systemd/issues #3421

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.

  systemd-resolved appends to resolv.conf alongside existing

Status in systemd package in Ubuntu:

Bug description:
  systemd-resolved, or more precisely the hook script
  /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf, causes
  resolvconf to add to the set of nameservers in
  /etc/resolv.conf alongside the other nameservers.  That makes no sense
  because systemd-resolved sets up as a proxy for those other
  nameservers.  The effect is similar to bug 1624071 but for
  applications doing their own DNS lookups.  It breaks any DNSSEC
  validation that systemd-resolved tries to do; applications will
  failover to the other nameservers, bypassing validation failures.  And
  it makes failing queries take twice as long.

  /etc/resolv.conf should have only when systemd-resolved is

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to