[Bug 1624320] Re: systemd-resolved appends 127.0.0.53 to resolv.conf alongside existing entries

Anders Kaseorg andersk at mit.edu
Sat Dec 10 08:32:48 UTC 2016 

Martin: I still wonder what the point of having resolvconf is, if it’s
only ever supposed to be used to manage 127.0.0.53, and every other use
of resolvconf will lead to this bug resurfacing.  I still propose that
systemd-resolved should read from /run/resolvconf/resolv.conf without
adding 127.0.0.53 to it, and /etc/resolv.conf should be a symlink to
/lib/systemd/resolv.conf rather than /run/resolvconf/resolv.conf.


Willem: If systemd-resolved isn’t suitable to be the only nameserver in resolv.conf, then it isn’t suitable to be in resolv.conf at all.  I would rather either see these bugs worked out during the zesty cycle, or have systemd-resolved removed entirely, than leave the system in a half-broken state where the bugs in systemd-resolved get (probabilistically?) masked by the presence of other nameservers in resolv.conf.

In its current state, systemd-resolved is thoroughly broken on account
of (at least) bug 1647031.  I had to downgrade network-manager because
switching to a resolver that doesn’t follow CNAME records breaks way too
much of the internet.  This might not have been noticed with other
nameservers in resolv.conf.  (Although now that it has, I’m getting
increasingly concerned by the switch not having been reverted yet…)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624320

Title:
  systemd-resolved appends 127.0.0.53 to resolv.conf alongside existing
  entries

Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  systemd-resolved, or more precisely the hook script
  /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf, causes
  resolvconf to add 127.0.0.53 to the set of nameservers in
  /etc/resolv.conf alongside the other nameservers.  That makes no sense
  because systemd-resolved sets up 127.0.0.53 as a proxy for those other
  nameservers.  The effect is similar to bug 1624071 but for
  applications doing their own DNS lookups.  It breaks any DNSSEC
  validation that systemd-resolved tries to do; applications will
  failover to the other nameservers, bypassing validation failures.  And
  it makes failing queries take twice as long.

  /etc/resolv.conf should have only 127.0.0.53 when systemd-resolved is
  active.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624320/+subscriptions

More information about the foundations-bugs mailing list