[systemd-devel] "known-good" DNS servers for use with resolved and DNSSEC

Fabian Bernhard Pack gigadoc2 at revreso.de
Thu Apr 16 16:38:44 UTC 2020


Hi,

I've been slowly integrating systemd-resolved more and more into my
setups, but I had always encountered stability issues whenever the
upstream DNS resolver has some kind of DNSSEC support. Setting
DNSSEC=true would result in periods of no name resolution at all,
leaving it at the default `allow-downgrade` would have it work most of
the time, though switching DNSSEC support on and off periodically, and
sometimes not being able to resolve a query that should have resolved.

The troubles seem to occur whenever the upstream DNS cannot resolve a
query, but for legitimate reasons. For example, the resolver is a
recursive one and the authoritative nameservers for the queried zones
return SERVFAIL. The resolver passes that SERVFAIL down to systemd-
resolved, which seems to take it as a sign that the upstream does not
support DNSSEC, and turns the feature off. If DNSSEC=true, the resolver
is then blacklisted for the duration of the grace period, if
DNSSEC=allow-downgrade the feature set is reduced. 

Looking through the bug reports, I got the impression that the DNSSEC
support of systemd-resolved (or at least it's DNSSEC detection support)
was simply in a bad shape and needed a rewrite, which was what lead me
to disable it.
But now Fedora has brought up the proposal to switch to systemd-
resolved by default, though with DNSSEC disabled by default. In that
discussion Lennart Poettering mentioned that the reasons for the
instabilities observed with DNSSEC support turned on are to be found in
the erratic behaviour of upstream DNS resolvers, and the efforts of
systemd-resolved to detect this.
(See 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/AFHNUEHKC5KJVGBGSJBH2BMESUAGDF4H/
)

Please don't take this the wrong way, but I am now wondering what the
correct behaviour for an upstream DNS should be. I had tried unbound
and dnsmasq in the past (of course with DNSSEC enabled and passing down
the relevant RRs to resolved), and with both I encountered the
instabilities.
If you have a setup with systemd-resolved and DNSSEC enabled, can you
tell me what the upstream DNS is running? I would like to know a
"known-good" DNS server implementation, to see what it is doing
different than my unbound/dnsmasq.

Kind regards,
Fabian Pack




More information about the systemd-devel mailing list