On Mi, 15.04.20 11:14, Fedora Development ML (devel(a)lists.fedoraproject.org) wrote:
On 14.04.2020 21:23, Ben Cotton wrote:
> Enable systemd-resolved by default. glibc will perform name resolution
> using nss-resolve rather than nss-dns.
I've tested systemd-resolved on my laptop for a month. It worked very,
very unstable. Sometimes it stopped responding and I needed to manually
restart its service.
I think we need to stay on current solution. It works stable for ages.
Note that resolved so far defaulted to DNSSEC mode by default (in
opportunistic mode). DNSSEC support in DNS servers provided by edge
routers (i.e. the DNS servers typically supplied in the DHCP leases
you get at home) is usually crap, and very hard to detect properly. So
far we have not been able to fine tune it in the myriad ways DNS
servers are creatively broken; and even for the many cases where we
detect things correctly it might still take a while after DNS config
became available for us to completed our learning.
DNSSEC with resolved should work fine if your local DNS server is well
behaving, but unfortunately that's generally not the case. THis means
DNSSEC support will be switched from opt-out to opt-in with resolved
becoming default to Fedora, to avoid this breakage.
Note that Ubuntu has been turning on resolved for quite some time by
default now (with DNSSEC off). They did a lot of testing for us
ultimately, so I#d expect few issues if we turn resolved on in Fedora
by default, as long as we also keep DNSSEC off.
Long story short: if you experienced issues with DNSSEC on with
resolved today, then be assured that with DNSSEC off things are much
much better, and that's how we'd ship it in Fedora if it becomes the
Lennart Poettering, Berlin