[Bug 1685045] [NEW] stop using libnss_resolve.so for name resolution
Steve Langasek
steve.langasek at canonical.com
Fri Apr 21 00:22:29 UTC 2017
Public bug reported:
Once we have systemd-resolved's stub DNS resolver on a solid footing
everywhere (LP: #1682499; LP: #1647031), we should stop using
libnss_resolve.so for name resolution and *only* use the DNS stub
resolver via libnss_dns.so.
The reason is that libnss_resolve.so is non-standard, depends on more
moving parts (dbus+added NSS module), and consistently masks bugs in the
stub DNS resolver or its configuration that are only discovered when
someone tries to use software that does not use the NSS configuration of
the host (including, but not limited to, chroots; containers; software
written in languages that don't use libc).
Since systemd-resolved *must* continue to provide a robust stub DNS
resolver for the foreseeable future, having the dbus service in use /as
well/ is unwelcome complexity that causes bugs to manifest far from the
point of introduction.
Since the systemd-resolved service is currently only enabled if the
libnss-resolve package is installed, this enablement logic would need to
be migrated into the base systemd package.
I believe we should consider making this change even in SRU due to the
pernicious effects of the current behavior. However, that will require
some thought to come up with a reasonable SRU test case with low risk of
regression.
** Affects: systemd (Ubuntu)
Importance: High
Status: Triaged
** Changed in: systemd (Ubuntu)
Importance: Undecided => High
** Changed in: systemd (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1685045
Title:
stop using libnss_resolve.so for name resolution
Status in systemd package in Ubuntu:
Triaged
Bug description:
Once we have systemd-resolved's stub DNS resolver on a solid footing
everywhere (LP: #1682499; LP: #1647031), we should stop using
libnss_resolve.so for name resolution and *only* use the DNS stub
resolver via libnss_dns.so.
The reason is that libnss_resolve.so is non-standard, depends on more
moving parts (dbus+added NSS module), and consistently masks bugs in
the stub DNS resolver or its configuration that are only discovered
when someone tries to use software that does not use the NSS
configuration of the host (including, but not limited to, chroots;
containers; software written in languages that don't use libc).
Since systemd-resolved *must* continue to provide a robust stub DNS
resolver for the foreseeable future, having the dbus service in use
/as well/ is unwelcome complexity that causes bugs to manifest far
from the point of introduction.
Since the systemd-resolved service is currently only enabled if the
libnss-resolve package is installed, this enablement logic would need
to be migrated into the base systemd package.
I believe we should consider making this change even in SRU due to the
pernicious effects of the current behavior. However, that will
require some thought to come up with a reasonable SRU test case with
low risk of regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1685045/+subscriptions
More information about the foundations-bugs
mailing list