* Michael Catanzaro:
On Sun, Jul 26, 2020 at 6:15 pm, John M. Harris Jr johnmh@splentity.com wrote:
Please do not disable reading from /etc/resolv.conf. If you do so, please limit that to the Spins that it won't affect people on, such as Workstation, if you believe people there don't set their own DNS servers.
Except:
- /etc/resolv.conf is broken by design, as you would know if you read
the section on split DNS that you just quoted
It works for the things it's meant to do.
Split DNS does not exist as a concept. Some web browser concepts, such as the canary domain for DoH are explicitly incompatible with it:
https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
Incompatible in the sense that when connecting to a VPN, DNS traffic will now be sent to a third party, when it would not before.
- There's no value in reading from /etc/resolv.conf unless you have
written something custom to it
Any DNS client library has to read /etc/resolv.conf to determine the system DNS configuration.
The format is about as stable than _res, and from languages which are not C, much easier to access.
This isn't an obscure use case, this is something that really has to work. Even C programs use alternative DNS clients for asynchronous name resolution and similar things.
Fact is that unless you have done custom work to allow manual modifications to /etc/resolv.conf, you're not going to notice this change at all.
It depends on the quality of the DNS implementation whose address is given in /etc/resolv.conf.
And if you have, then surely you'll be able to figure out the very, very simple steps to get back to the original behavior. In fact, it should actually be *easier* than before to get traditional behavior. Remove the symlink. Create your own /etc/resolv.conf. Hey presto! systemd will read it....
What if I want to manage name servers via DHCP (and Network Manager), but still retain DNSSEC support for local applications?
Thanks, Florian