stop using libnss_resolve.so for name resolution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Once we have systemd-resolved's stub DNS resolver on a solid footing everywhere (LP: #1682499; LP: #1647031), we should stop using libnss_resolve.so for name resolution and *only* use the DNS stub resolver via libnss_dns.so.
The reason is that libnss_resolve.so is non-standard, depends on more moving parts (dbus+added NSS module), and consistently masks bugs in the stub DNS resolver or its configuration that are only discovered when someone tries to use software that does not use the NSS configuration of the host (including, but not limited to, chroots; containers; software written in languages that don't use libc).
Since systemd-resolved *must* continue to provide a robust stub DNS resolver for the foreseeable future, having the dbus service in use /as well/ is unwelcome complexity that causes bugs to manifest far from the point of introduction.
Since the systemd-resolved service is currently only enabled if the libnss-resolve package is installed, this enablement logic would need to be migrated into the base systemd package.
I believe we should consider making this change even in SRU due to the pernicious effects of the current behavior. However, that will require some thought to come up with a reasonable SRU test case with low risk of regression.
Changed in systemd (Ubuntu): | |
status: | Triaged → Fix Released |
Even if we don't make this change across the board in SRU, we should look at changing Ubuntu Core 16 to use only the stub resolver. This might even turn out to be the root cause of bug #1659195.