ANN: DNS resolver changes in yakkety

Martin Pitt martin.pitt at ubuntu.com
Thu Jun 2 21:26:17 UTC 2016 

Hello Stéphane,

to conclude the lose end of this thread..

Stéphane Graber [2016-05-31 15:52 -0400]:
> > >  1) Does resolved now support split DNS support?
> > >     That is, can Network Manager instruct it that only *.example.com
> > >     should be sent to the DNS servers provided by a given VPN?
> > 
> > resolved has a D-Bus API SetLinkDomains(), similar in spirit to
> > dnsmasq. However, NM does not yet know about this, and only indirectly
> > talks to resolved via writing /etc/resolv.conf (again indirectly via
> > resolvconf). So the functionality on the resolved is there, but we
> > don't use it yet. This is being tracked in the blueprint.
> 
> Ok and does it support configuring this per-domain thing through
> configuration files?
> 
> That's needed so that LXC, LXD, libvirt, ... can ship a file defining a
> domain for their bridge which is then forwarded to their dnsmasq
> instance.

In my other reply I said that resolved doesn't have this kind of
fine-grained configuration files, as it mostly expects network
management software to tell it about these things. But what you *can*
do is to use networkd for this:

  $ cat /lib/systemd/network/lxdbr0.network
  [Match]
  Name=lxdbr0

  [Network]
  DNS=127.0.0.1
  Domains= ~lxd

With this, networkd won't actually set up the bridge (as there is no
DCHP=, Address=, corresponding .netdev  etc.), but as soon as it comes
up via auto-activation of lxd-bridge.service, it will poke that
information into resolved (via the above SetLinkDomains() call). I
just tested that in a VM, and it does what you expect.

The main drawback is that you need to start systemd-networkd.service
for this (at least as a Requires= of lxd-bridge.service). Now, on
server/cloud we want to move to networkd anyway, but on a desktop we'd
usually only have NetworkManager running. So this overhead would
mainly be justified if you would consider replacing lxd-bridge.service
by a "full" networkd config, i. e. let the above file actually set up
and configure the full bridge (But this doesn't go that well with the
existing /etc/default/lxd-bridge format).

If using a configuration *file* is not a tight requirement, but you
only actually care about this working OOTB, then a less intrusive
approach might be to just add a dbus-send/gdbus/busctl ExecStartPost=
to lxd-bridge.service that does the SetLinkDomains() call.

I initially thought about lxd just dropping a resolvconf hook, but
that doesn't work I think: /etc/resolv.conf has no syntax for
domain-specific DNS servers, so we need to use a richer API like
dnsmasq or resolved for these.

Would either approach work for you, or do we need something different?

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20160602/93b937c2/attachment.pgp>

More information about the ubuntu-devel mailing list