On Thu, Apr 16, 2020 at 12:53:48PM +0200, Florian Weimer wrote:
- Lennart Poettering:
On Mi, 15.04.20 16:30, Lennart Poettering (mzerqung@0pointer.de) wrote:
On Mi, 15.04.20 15:50, Florian Weimer (fweimer@redhat.com) wrote:
- Lennart Poettering:
- If /etc/resolv.conf is a regular file, resolved will *consume* it for DNS configuration, and never change it or modify it or replace it. If this mode is selected arbitrary other programs that do DNS will talk directly to the provided DNS servers, and resolved is out of the loop.
In mode #1 resolved neither manages /etc/resolv.conf nor inserts itself into DNS resolution in any way.
What will nss_resolve do in this case? Nothing?
The nss_resolve module is just a wrapper around resolved's bus API. And the bus API uses resolved's own DNS resolution code. And resolved is smart enough to automatically become a *consumer* of /etc/nsswitch.conf (instead of a *manager* of it) if it is a regular file instead of a symlink to resolved's own files in /run.
Meh. I mean /etc/resolv.conf here, of course, not /etc/nsswitch.conf.
So if /etc/resolv.conf comes from somewhere else, then nss_resolve will still forward queries to the daemon, which contacts the upstream server on nss_resolve's behave (possibly with some caching), and eventually return the data to the application?
nss-resolve is enabled/disabled through nsswitch.conf. It always talks to systemd-resolved using local IPC. It doesn't care about /etc/resolv.conf in any way.
What Lennart wrote above applies to systemd-resolved and to things which look at /etc/resolv.conf for some reason. If nss-resolve is enabled, then only things which do not use nss at all would fall into this category.
Or does nss_resolve fail with UNAVAIL and expects nss_dns to fetch the data?
nss_resolve fails with UNAVAIL when systemd-resolved is not running. So yeah, we use want to use nss_dns as a fallback for that case. I'm not sure if that is what you are asking about.
I'd prefer the first approach, but it really means that resolved is out of the loop only for queries submitted over the DNS transport (so res_query and the like, or direct use of UDP & TCP). Hence my confusion. 8-)
Zbyszek