Bind and systemd-resolved

[Petr Menšík]

systemd-resolved is broken in many ways. I doubt it can forward
correctly TSIG or SIG(0). If you have a proper DNS server running on
your machine, there is not many reasons to run also systemd-resolved. If
you need it, I suggest to write fixed /etc/resolv.conf pointing to
127.0.0.1 or ::1. Consider chattr +i /etc/resolv.conf afterwards. Do not
use stub resolver provided by systemd if you have better caching server
running on the same machine. I would even recommend to uninstall it on
Fedora, where it is possible. Unless you use mdns on selected networks
only, I don't think systemd-resolved provides you any benefit.

systemd-resolved strips in default configuration even DNSSEC signatures.
I would doubt it can handle key signatures or even updates.

On 4/18/22 07:26, Leroy Tennison via bind-users wrote:
> When I attempt “dig -t AXFR office.example.com -k
> Kexample_dns.+157+18424.key” on the DNS server (Bind 9.11) sudoed to
> root I get:
>
> ;; Couldn't verify signature: expected a TSIG or SIG(0)
> ; Transfer failed.
>
> This is an Ubuntu 18.04 system and /etc/systemd/resolved.conf has
> DNS=127.0.0.1 since the DNS server is running on it.  Systemd-resolved
> has been restarted afterward.  I've tried using an actual interface
> address but it doesn't help.  It seems dig tries to use 127.0.0.53 due
> to its being in /etc/resolv.conf and that fails even though dig for
> forward/reverse lookups works.
>
> If I add @127.0.0.1 to the above it works.  Is there a way to get this
> to work without having to do that and not setting up the entire
> network configuration using systemd.  I realize it's not a big effort
> to add @127.0.0.1 but the reason for the issue is obscure, the error
> message is misleading and my distaste for systemd is sufficient enough
> that I would prefer avoiding it as much as possible.  Thanks for any
> input.
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB