On Do, 16.04.20 17:14, Florian Weimer (fweimer(a)redhat.com) wrote:
> I don't think we can reliably determine whether people have
deployed
> things in a way that relies on /etc/resolv.conf only listing a fully
> blown DNS server or who are fine with it being a more restricted stub
> like systemd-resolved.
Unfortunately, I see something similar to what Tom Hughes reported
earlier: dig +dnssec responses are not even correctly formatted. The CD
query flag is not handled, either. The AD bit is not set on validated
responses. I also see some really strange stability issues. It seems
that resolved is incorrectly blacklisting upstream servers with an
incompatible-server error after a validation failure.
Again, we do not support DNSSEC from client to the stub. If you set CD
we'll return NOTIMP as rcode, indicating that. We do not implement a
full DNS server, but just enough for local stub clients (such as the
one implemented in glibc or Java) to work. If you want the full DNSSEC
client stuff, talk directly to the upstream DNS server.
We set AD only if we managed to authenticate ourselves, which can
either be via DNSSEC if that's enabled to the upstream DNS server. We
also set it for hosts we read from /etc/hosts (i.e. a source owned by
root). If you saw incompatible server this looks like you left DNSSEC
on between resolved and upstream DNS server? Again, this is not what
we intend to do in Fedora.
Lennart
--
Lennart Poettering, Berlin