You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I checked with a few Chatmail operators and there is a mixed experience of having systemd-resolved installed. This is an optional service that manages /etc/resolv.conf. As long as it is installed it can override the values in /etc/resolv.conf.
From what I can tell cmdeploy does not directly manage /etc/resolv.conf so I do not know how 127.0.0.1 is getting in there.
"unbound-anchor -a /var/lib/unbound/root.key || true",
"systemctl reset-failed unbound.service",
],
)
systemd.service(
name="Start and enable unbound",
service="unbound.service",
running=True,
enabled=True,
)
Simply installing and enabling the unbound service does not trigger systemd-resolved to do anything. If you really want to use systemd-resolved the correct thing to do would be to create a file like /etc/systemd/resolved.conf.d/unbound.conf with the following contents:
[Resolve]
DNS=127.0.0.1
DNSSEC=yes
And then trigger a restart of the systemd-resolved service. This will guarantee that the nameserver 127.0.0.1 line is added to the file as the first/primary nameserver while retaining the default ones that were provided by DHCP. There is another step that also need to be taken:
/etc/resolvconf/update.d/unbound should have its executable bit removed so this hook does not execute, otherwise it will override the Unbound config and force it to forward queries to the DHCP resolvers instead of doing full recursion from the root nameservers. You risk losing DNSSEC as a result which is still important for us as we validate DKIM.
Recommendation
There isn't a clear need for the additional capabilities that systemd-resolved provides. I suggest we remove the package and directly manage the contents of /etc/resolv.conf so we are confident what the behavior is. Either way we should be more explicit about how the DNS resolvers are configured as not all servers appear to have systemd-resolved installed.
The text was updated successfully, but these errors were encountered:
Background
I checked with a few Chatmail operators and there is a mixed experience of having
systemd-resolvedinstalled. This is an optional service that manages/etc/resolv.conf. As long as it is installed it can override the values in/etc/resolv.conf.From what I can tell cmdeploy does not directly manage
/etc/resolv.confso I do not know how 127.0.0.1 is getting in there.relay/cmdeploy/src/cmdeploy/__init__.py
Lines 588 to 607 in 5ba99dc
Simply installing and enabling the unbound service does not trigger
systemd-resolvedto do anything. If you really want to usesystemd-resolvedthe correct thing to do would be to create a file like/etc/systemd/resolved.conf.d/unbound.confwith the following contents:And then trigger a restart of the
systemd-resolvedservice. This will guarantee that thenameserver 127.0.0.1line is added to the file as the first/primary nameserver while retaining the default ones that were provided by DHCP. There is another step that also need to be taken:/etc/resolvconf/update.d/unboundshould have its executable bit removed so this hook does not execute, otherwise it will override the Unbound config and force it to forward queries to the DHCP resolvers instead of doing full recursion from the root nameservers. You risk losing DNSSEC as a result which is still important for us as we validate DKIM.Recommendation
There isn't a clear need for the additional capabilities that
systemd-resolvedprovides. I suggest we remove the package and directly manage the contents of/etc/resolv.confso we are confident what the behavior is. Either way we should be more explicit about how the DNS resolvers are configured as not all servers appear to havesystemd-resolvedinstalled.The text was updated successfully, but these errors were encountered: