Re: systemd-resolved fallback DNS servers: usability vs. GDPR

Wed, 24 Feb 2021 12:19:12 -0800 

On Wed, 24 Feb 2021, Colin Walters wrote:


It's trickier than that because local caching nameservers can provide real 
benefits in various server scenarios, and also the IoT/edge case (as usual) 
blurs the traditional datacenter/mobile boundary.  (IoT can be servers with 
WiFi)

We ended up enabling resolved in FCOS, although it took a bit because it broke 
OpenShift, see:
https://github.com/openshift/okd-machine-os/pull/15
https://github.com/openshift/machine-config-operator/pull/2377
https://github.com/openshift/okd-machine-os/pull/47
etc.


It's hard to read through those. It's a big nest of issues, fixes and
reverts on adding/removing systemd-resolved. I couldn't figure out
the DNS setup based on these reports.


(It's really complex for OpenShift because we have a split between the host DNS 
and pod DNS which is served by CoreDNS, yet some cases span those, plus some 
on-premise installs differ from cloud/Iaas in this)


I'm confused here too, since AFAIK NM does not support tying queries for
certain domains to certain nameservers, and I was told that NM
configures DNS, not systemd-resolved, so how is that done in this case
then? For VPN, to support split-DNS you ran a full resolver like
unbound that has this support, and does not get configured through NM.

I guess I can't say more unless someone can point me to some
documentation on the DNS deployment details there. However, this
all changes nothing that different systems want to use different
DNS solutions, and making systemd-resolved part of the init package
so it is mandatory to install is not appropriate.

Paul
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to