[Bug 1624320] Re: systemd-resolved appends 127.0.0.53 to resolv.conf alongside existing entries

Martin Pitt martin.pitt at ubuntu.com
Fri Sep 16 15:27:46 UTC 2016 

The primary purpose of adding 127.0.0.53 to resolv.conf is for client
software that wants to do DNS resolution by itself instead of using NSS
-- most notable example is Google Chrome, and third-party software which
is statically linked (e. g. Go).

However, other software like NetworkManager or isc-dhcp also calls
resolvconf and adds name servers picked up by them -- as they don't talk
to resolved directly, resolved reads their DNS servers *from*
resolv.conf.

But, software which does its own DNS lookups like the above have to do
their own DNSSEC validation too -- you can't both chose to *not* use NSS
*and* rely on NSS to do DNSSEC for you..

So, this is indeed a wart, but not easily fixed, and also not that
important IMHO. Not using NSS is already broken to some degree, as you
also ignore things like nss-{winbind,docker,ldap} etc.

** Changed in: systemd (Ubuntu)
       Status: New => Triaged

** Changed in: systemd (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624320

Title:
  systemd-resolved appends 127.0.0.53 to resolv.conf alongside existing
  entries

Status in systemd package in Ubuntu:
  Triaged

Bug description:
  systemd-resolved, or more precisely the hook script
  /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf, causes
  resolvconf to add 127.0.0.53 to the set of nameservers in
  /etc/resolv.conf alongside the other nameservers.  That makes no sense
  because systemd-resolved sets up 127.0.0.53 as a proxy for those other
  nameservers.  The effect is similar to bug 1624071 but for
  applications doing their own DNS lookups.  It breaks any DNSSEC
  validation that systemd-resolved tries to do; applications will
  failover to the other nameservers, bypassing validation failures.  And
  it makes failing queries take twice as long.

  /etc/resolv.conf should have only 127.0.0.53 when systemd-resolved is
  active.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624320/+subscriptions

More information about the foundations-bugs mailing list