In my very own app, I followed the tutorial, part 6 for LibUnbound
<https://www.unbound.net/documentation/libunbound-tutorial-6.html>\. For
years, this worked fine. Since Ubuntu 17.04, all my queries return
bogus. Please, could someone comment/answer the following question:
<https://github.com/systemd/systemd/issues/4621#issuecomment-264701140>
Zitat von Alexander Traud via Unbound-users <unbound-users@unbound.net>:
In my very own app, I followed the tutorial, part 6 for LibUnbound
<https://www.unbound.net/documentation/libunbound-tutorial-6.html>\. For
years, this worked fine. Since Ubuntu 17.04, all my queries return
bogus. Please, could someone comment/answer the following question:
<https://github.com/systemd/systemd/issues/4621#issuecomment-264701140>
I have installed some 18.04 lately and played around with DNSSEC (Laptop System). The "native" DNSSEC of systemd-resolved seems far from reliable working, most of the DNSSEC secured sites where failing behind some consumer grade DSL router if systemd-resolved is used without additional resolver. That said installing "unbound" from repository put the Unbound 127.0.0.1 address in /etc/resolv.conf and fixed at least the browser lookups. To my understandig of the systemd-resolved workings this should also set 127.0.0.1 (unbound) as globaly used DNS resolver for systemd-resolved, but that would not prevent systemd-resolved from using additionaly per interface DNS resolvers configured by DHCP, which might not be able to fix the DNSSEC part missing in systemd-resolved.
Regards
Andi
installing "unbound" from repository put the Unbound 127.0.0.1 address
in /etc/resolv.conf and fixed at least the browser lookups.
Yes, using Unbound instead is a good idea. Actually, that was my default
setup previously. However in Ubuntu 18.04 LTS, /etc/resolv.conf is auto-
generated and any added DNS entry vanishes sooner or later. At least in
my tests. Therefore, my workaround was to change the symbolic link
/etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf
/etc/resolv.conf -> ../run/systemd/resolve/resolv.conf
which is mentioned in
$ man systemd-resolved.service
In that non-stub configuration file, after installing Unbound, any
previously set server is overwritten with "127.0.0.1". However, changing
a symbolic link manually (although documented in a
man page) is a workaround for me and not the way it should work.
Anyway, I searched a bit more in the man pages, and
$ sudo apt install resolvconf
seems to do the trick because it changes the symbolic link
/etc/resolv.conf -> ../run/resolvconf/resolv.conf
automatically and therefore avoids systemd-resolved, too.
I have to test that on the long term. Looks promising. However, that
means, every executable which needs RRSIG has to declare a dependency
on the package resolvconf nowadays. That should be reported to Debian.