* Lennart Poettering:
On Do, 16.04.20 17:14, Florian Weimer (fweimer(a)redhat.com) wrote:
> > I don't think we can reliably determine whether people have deployed
> > things in a way that relies on /etc/resolv.conf only listing a fully
> > blown DNS server or who are fine with it being a more restricted stub
> > like systemd-resolved.
>
> Unfortunately, I see something similar to what Tom Hughes reported
> earlier: dig +dnssec responses are not even correctly formatted. The CD
> query flag is not handled, either. The AD bit is not set on validated
> responses. I also see some really strange stability issues. It seems
> that resolved is incorrectly blacklisting upstream servers with an
> incompatible-server error after a validation failure.
Again, we do not support DNSSEC from client to the stub.
I don't think this change is ready for Fedora, then.
If you set CD we'll return NOTIMP as rcode, indicating that. We
do not
implement a full DNS server, but just enough for local stub clients
(such as the one implemented in glibc or Java) to work.
Sorry? RES_USE_DNSSEC is part of the glibc stub resolver. It does not
work anymore.
The libunbound validator is broken by this, too.
If you want the full DNSSEC client stuff, talk directly to the
upstream DNS server.
How? The address is no longer in /etc/resolv.conf. According to the
change proposal, this also endangers Denise, who relies on the request
routing in systemd-resolved.
Thanks,
Florian