[systemd-devel] "known-good" DNS servers for use with resolved and DNSSEC

Kevin P. Fleming kevin at km6g.us
Thu Apr 16 18:00:33 UTC 2020 

I have a working-well configuration using PowerDNS Recursive Resolver
(running locally in my network, not provided by my ISP or anyone
upstream).

On Thu, Apr 16, 2020 at 12:46 PM Fabian Bernhard Pack
<gigadoc2 at revreso.de> wrote:
>
> Hi,
>
> I've been slowly integrating systemd-resolved more and more into my
> setups, but I had always encountered stability issues whenever the
> upstream DNS resolver has some kind of DNSSEC support. Setting
> DNSSEC=true would result in periods of no name resolution at all,
> leaving it at the default `allow-downgrade` would have it work most of
> the time, though switching DNSSEC support on and off periodically, and
> sometimes not being able to resolve a query that should have resolved.
>
> The troubles seem to occur whenever the upstream DNS cannot resolve a
> query, but for legitimate reasons. For example, the resolver is a
> recursive one and the authoritative nameservers for the queried zones
> return SERVFAIL. The resolver passes that SERVFAIL down to systemd-
> resolved, which seems to take it as a sign that the upstream does not
> support DNSSEC, and turns the feature off. If DNSSEC=true, the resolver
> is then blacklisted for the duration of the grace period, if
> DNSSEC=allow-downgrade the feature set is reduced.
>
> Looking through the bug reports, I got the impression that the DNSSEC
> support of systemd-resolved (or at least it's DNSSEC detection support)
> was simply in a bad shape and needed a rewrite, which was what lead me
> to disable it.
> But now Fedora has brought up the proposal to switch to systemd-
> resolved by default, though with DNSSEC disabled by default. In that
> discussion Lennart Poettering mentioned that the reasons for the
> instabilities observed with DNSSEC support turned on are to be found in
> the erratic behaviour of upstream DNS resolvers, and the efforts of
> systemd-resolved to detect this.
> (See
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/AFHNUEHKC5KJVGBGSJBH2BMESUAGDF4H/
> )
>
> Please don't take this the wrong way, but I am now wondering what the
> correct behaviour for an upstream DNS should be. I had tried unbound
> and dnsmasq in the past (of course with DNSSEC enabled and passing down
> the relevant RRs to resolved), and with both I encountered the
> instabilities.
> If you have a setup with systemd-resolved and DNSSEC enabled, can you
> tell me what the upstream DNS is running? I would like to know a
> "known-good" DNS server implementation, to see what it is doing
> different than my unbound/dnsmasq.
>
> Kind regards,
> Fabian Pack
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel

More information about the systemd-devel mailing list