[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Oct 30 05:34:52 UTC 2020

On Fri, Oct 30, 2020 at 04:29:56AM +0000, Paul Vixie wrote:

> > There are many such defects in systemd-resolved, get in line...
> systemd is pretty configurable. there should be some way to turn this
> DNS-like but not-actually-DNS listener off, and then either run a real
> DNS listener (unbound, bind9, powerdns, knot, etc) there. bind9 in
> particular will do the right thing even with /dev/null as a config file,
> but that may be true of some of the others also.

Here, I'm getting a bit out of my depth, I don't use systemd-resolved,
and have only been skimming some of the issue discussions.  For servers,
it is indeed easy to bypass systemd-resolved, and run a real resolver
as you say.

For mobile devices (laptops and the like), the problem is much more
difficult, in that systemd also also manages location awareness,
connections to corporate VPNs, connecting to public access points,
detecting middleboxes that block DNSSEC, ...

Some of the functionality is difficult to achieve with just a static
bypass of systemd-resolved to a local validating resolver.

So the ideal end-state would be a better architected component that
supported DNS standards properly.  Presently, what we have is either
a robust static configuration, or a partly working in some use-cases
dynamic configuration.


More information about the dns-operations mailing list