| 16 Jun 2025 |
 hexa | one that can actually validate dnssec for dane | 03:53:22 |
| hexa | * one that can actually validate dnssec, e.g. for dane | 03:53:26 |
 emily | resolved can talk to your resolver | 04:20:31 |
| emily | (and provides services like mDNS on top) | 04:20:37 |
| hexa | not interesting for my server | 04:20:58 |
| hexa | * not interesting for my servers | 04:21:03 |
| emily | it's pretty much the supported configuration for better or worse. like, it also provides the D-Bus resolved API etc. and works with the NSS stuff | 04:21:24 |
| hexa | https://github.com/NixOS/infra/commit/67eb34a7534e9caeda495fbbfea50767a23fb8a0 | 04:21:40 |
| emily | you set services.resolved.fallbackDns and ensure UseDNS=no for networks | 04:21:49 |
| hexa | you could also just set services.resolved.enable = false and services.{unbound,kresd,pdns-recursor}.enable instead | 04:22:32 |
| emily | sure | 04:22:39 |
| hexa | they already set networking.dns.useLocalResolver | 04:22:54 |
| hexa | its just not helpful that resolved will fight useLocalResolver | 04:23:15 |
| emily | but I suspect the dependencies on nss-resolve(8) and org.freedesktop.resolve1(5) will likely increase over time, that's all | 04:23:20 |
| emily | path of least resistance and most functionality is to let resolved be the API frontend for your underlying recursive resolver, for better or worse | 04:23:53 |
| hexa | hell no | 04:24:07 |
| hexa | resolved does not perform at all | 04:24:13 |
| emily | part of the problem is that getaddrinfo(3)/gethostbyname(3) are useless APIs that are even more anaemic than other OS's native DNS APIs | 04:24:58 |
| hexa | we have systems at work that will put resolved at 100% cpu with queries and it will not keep up | 04:25:14 |
| emily | so tons of applications have to reimplement their own DNS to begin with | 04:25:15 |
| emily | lovely | 04:25:25 |
| hexa | it's such a joke | 04:25:26 |
| emily | are you sure that's not because of DNSSEC? | 04:25:29 |
| emily | it tries to do DNSSEC validation OOTB | 04:25:34 |
| emily | if you disable that and let your local resolver handle it I would be surprised if it has much overhead | 04:25:45 |
| hexa | yes, I'm sure that we didn't try to make it do DNSSEC related things 🙂 | 04:25:50 |
| emily | like I said, OOTB | 04:25:57 |
| emily | you have to explicitly disable it | 04:26:01 |
| hexa | again | 04:26:04 |
| hexa | no offense | 04:26:07 |
