(Initial page) |
|||
Line 46: | Line 46: | ||
systemd-resolved will be enabled automatically when upgrading to Fedora 33. | systemd-resolved will be enabled automatically when upgrading to Fedora 33. | ||
== How To Test == | == How To Test == |
Revision as of 23:35, 30 March 2020
systemd-resolved
Summary
Enable systemd-resolved by default. Name resolution will be performed by nss-resolve rather than nss-dns.
Owner
- Name: Michael Catanzaro
- Email: <mcatanzaro@redhat.com>
Current status
- Targeted release: Fedora 33
- Last updated: 2020-03-30
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
TODO(mcatanzaro)
Benefit to Fedora
TODO(mcatanzaro)
Scope
- Proposal owners: We will update Fedora presets to enable systemd-resolved by default. We will work with the systemd maintainers to enable nss-resolve using an RPM scriptlet.
- Other developers: This change requires coordination with the systemd and authselect maintainers.
- Release engineering: #9367
- Policies and guidelines: none required
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
systemd-resolved will be enabled automatically when upgrading to Fedora 33.
How To Test
Load any website in a web browser. If you succeed, then name resolution works.
User Experience
Users who use multiple VPNs at the same time will notice that DNS requests are now sent to the correct DNS server by default. Previously, this scenario would result in "DNS leaks" and, depending on the order that the VPN connections were established, possible failure to resolve private resources. These scenarios will now work properly.
Users will no longer be able to edit /etc/resolv.conf, as this file will now be managed by systemd.
Dependencies
In Fedora, /etc/nsswitch.conf is managed by authselect. By default, authselect uses the sssd profile to generate configuration compatible with sssd. In this mode of operation, it does not modify the hosts line in /etc/nsswitch.conf. This is also true if using the winbind profile instead of the sssd profile. However, authselect's minimal and nis profiles do modify the hosts line. These authselect profiles must be updated to enable nss-resolved. If you are using authselect in one of these modes, it will not be possible to cleanly disable systemd-resolved because the hosts line in /etc/nsswitch.conf will be clobbered whenever 'authselect apply-changes' is run. If you wish to disable systemd-resolved and you are using authselect in one of these modes, then you should stop using authselect. This is not expected to cause many problems because virtually all Fedora users will be using the default sssd profile.
We do not need to make any changes to the /etc/nsswitch.conf shipped by glibc.
Contingency Plan
- Contingency deadline: beta freeze
- Blocks release? No
- Blocks product? No
Documentation
systemd-resolved is documented in several manpages: resolvectl(1), resolved.conf(5), nss-resolve(8), systemd-resolved(8). The Arch Wiki page may also be useful.
Release Notes
TODO(mcatanzaro)