1 |
On Mon, Jun 6, 2016 at 12:29 PM, James <wireless@×××××××××××.com> wrote: |
2 |
> |
3 |
> This is about the most scary idea I have every heard of in unix/linux, |
4 |
> in long time. |
5 |
> |
6 |
> I guess all of those conspiracy theories were correct:: |
7 |
> prepare to be assimilateD! |
8 |
> |
9 |
> |
10 |
> https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html |
11 |
> |
12 |
|
13 |
That's pretty old news. In any case, you certainly don't need to use |
14 |
systemd as your DNS resolver if you don't want to. |
15 |
|
16 |
Systemd also doesn't touch /etc/resolv.conf contrary to what that |
17 |
email states. It only touches /run/systemd/resolve/resolv.conf which |
18 |
does absolutely nothing on its own unless you choose to symlink |
19 |
/etc/resolv.conf to it. The obvious options using systemd and |
20 |
resolv.conf are: |
21 |
1. Don't use it at all - just put whatever you want in |
22 |
/etc/resolv.conf and it works like you'd expect it to. |
23 |
2. Have systemd-networkd populate /run/systemd/resolve/resolv.conf |
24 |
with whatever DNS servers were discovered using DHCP and then symlink |
25 |
that to /etc/resolv.conf so that your system uses it. This is |
26 |
basically the behavior you typically expect from the likes of dhcpcd |
27 |
and such but instead of tampering with a file in /etc it just messes |
28 |
with a transient file in /run. |
29 |
3. Run systemd-resolved as a caching forwarding-only DNS server and |
30 |
have that end up in /run/systemd/resolve/resolv.conf. I haven't |
31 |
really taken a serious look at the security implications of this. It |
32 |
is intended as a lightweight forwarding-only DNS server, and if it has |
33 |
any security flaws I'm sure they'll accept them as bugs. It is meant |
34 |
as a single-host solution - not as something you'd point your entire |
35 |
network at. It certainly isn't BIND. |
36 |
|
37 |
As with most systemd integrated solutions they tend to start out |
38 |
simple and evolve. |
39 |
|
40 |
The last time I checked systemd does not block you from installing the |
41 |
DNS server of your choosing, just as it doesn't block installing |
42 |
syslog, or cron, or a network manager, or even another service |
43 |
manager. You could use it as an oversized sysvinit if you wanted to |
44 |
(not that you would). How distros choose to use it is another matter. |
45 |
|
46 |
-- |
47 |
Rich |