On Mon, 28 Sep 2020, Michael Catanzaro wrote:
Anyway, if you don't like this heuristic, we could decide to
always delete
/etc/resolv.conf.
You will break all software linked against libunbound that uses the
ub_ctx_resolvconf() function. Most users of libunbound will use this,
because firewalls might prevent UDP 53 packets going out from anything
but the configured system resolver. It also then uses and gets use of
the system's DNS cache.
The only other alternative I can think of would be to leave
it unchanged, such that upgraded systems don't get fully migrated to
systemd-resolved, but that's not a good option.
I do not think systemd-resolved is ready for prime time, even unrelated
to the specific split DNS and DNSSEC case. A number of bugs have been
closed that affect DNS resolving despite DNS experts reporting this
as violating RFC standards and breaking things. For example:
https://github.com/systemd/systemd/issues/8967
Not migrating everything to systemd-resolved per default would not be the
worst solution.
Paul