* Michael Catanzaro:
On Wed, Apr 15, 2020 at 10:48 am, Florian Weimer
<fweimer(a)redhat.com>
wrote:
> The second Kubernetes issue I worry about [1] is that the CoreDNS name
> server is installed first, and it does additional rule-based
> processing
> for in-cluster names. External DNS servers are listed later.
> Parallel
> queries and random server selection could bypass the CoreDNS service
> for
> queries that need to be handled by it.
Hm, CoreDNS might need to construct its own nss module,
This is not possible. You cannot realistically inject binary code into
the container (see the fun with GPU userspace driver parts).
or you might need to use /etc/resolv.conf in "mode 1" or
"mode 3"
described by Lennart. (Or disable systemd-resolved, but that shouldn't
be necessary.) We'll default to Lennart's "mode 2" so it sounds like
that might be a problem indeed.
Yeah.
> Does OpenVPN log the list of these domains somewhere? Or do they
have
> to be configured manually?
This managed by NetworkManager and systemd-resolved. You can inspect
with 'resolvectl status'. I don't think OpenVPN knows anything about
it.
As explained elsewhere, NetworkManager-openvpn extracts the search list
from OpenVPN parameters, passes that to NetworkManager, which I expect
will pass ito to systemd-resolved in the future.
> Ugh. That will have to be fixed, otherwise it will break
DANE/TLSA
> and
> other DNSSEC-mandatory functionality on upgrades: the system used to
> have a DNSSEC-clean path to the outside world, and after the switch to
> systemd-resolved, it won't.
I think that, if you need DNSSEC, you will just need to enable it
manually. I think >99% of users won't need to do this, and it's a
one-line config file change for power users who do need it, just edit
/etc/systemd/resolved.conf and then restart systemd-resolved
service. Problem is that DNSSEC is just not safe to enable by
default. :(
See my message to Lennart about separate DO/CD query caching.
My point is that these users *have* enabled DNSSEC in their
infrastructure, and we break what they have during an update (assuming
that DNSSEC=off means that systemd-resolved turns DNSSEC-unware, rather
than just disabling validation).
Thanks,
Florian