| 16 Jun 2025 |
 hexa | https://github.com/NixOS/infra/commit/67eb34a7534e9caeda495fbbfea50767a23fb8a0 | 04:21:40 |
 emily | you set services.resolved.fallbackDns and ensure UseDNS=no for networks | 04:21:49 |
| hexa | you could also just set services.resolved.enable = false and services.{unbound,kresd,pdns-recursor}.enable instead | 04:22:32 |
| emily | sure | 04:22:39 |
| hexa | they already set networking.dns.useLocalResolver | 04:22:54 |
| hexa | its just not helpful that resolved will fight useLocalResolver | 04:23:15 |
| emily | but I suspect the dependencies on nss-resolve(8) and org.freedesktop.resolve1(5) will likely increase over time, that's all | 04:23:20 |
| emily | path of least resistance and most functionality is to let resolved be the API frontend for your underlying recursive resolver, for better or worse | 04:23:53 |
| hexa | hell no | 04:24:07 |
| hexa | resolved does not perform at all | 04:24:13 |
| emily | part of the problem is that getaddrinfo(3)/gethostbyname(3) are useless APIs that are even more anaemic than other OS's native DNS APIs | 04:24:58 |
| hexa | we have systems at work that will put resolved at 100% cpu with queries and it will not keep up | 04:25:14 |
| emily | so tons of applications have to reimplement their own DNS to begin with | 04:25:15 |
| emily | lovely | 04:25:25 |
| hexa | it's such a joke | 04:25:26 |
| emily | are you sure that's not because of DNSSEC? | 04:25:29 |
| emily | it tries to do DNSSEC validation OOTB | 04:25:34 |
| emily | if you disable that and let your local resolver handle it I would be surprised if it has much overhead | 04:25:45 |
| hexa | yes, I'm sure that we didn't try to make it do DNSSEC related things 🙂 | 04:25:50 |
| emily | like I said, OOTB | 04:25:57 |
| emily | you have to explicitly disable it | 04:26:01 |
| hexa | again | 04:26:04 |
| hexa | no offense | 04:26:07 |
| hexa | I've been in the resolved dnssec issues years ago | 04:26:21 |
| hexa | I' | 04:26:28 |
| hexa | * I've killed dnssec support locally before it hit nixpkgs | 04:26:37 |
| hexa | because it wouldn't properly work and break resolution needlessly | 04:26:53 |
| emily | the old DNSSEC issues are pretty depressing yeah | 04:27:15 |
| hexa | systemd sometimes does to much and the developers are spread to thin | 04:27:19 |
| emily | I think they have mostly been fixed by now but systemd upstream attitude to bug reports is depressing | 04:27:29 |
