[opensuse] ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?
Warning! This could be alot of "nonsense" and be a potentially reactive topic. Please don't escalate things emotionally or no one will ever understand what the facts are. That said, I see some trends/repeated behavior+history consistent with sysd's expansion into other OS functions, so I see no reason to completely disbelieve some of the statements I've read or try to summarize below. Does anyone know what's happening in OpenSUSE related to this? Will it be generating the same types of instability and problems? Will opensuse still support other DNS resolvers (bind/named, dnsmasq, etc) even if they are incompatible with new sysd operation? /There is a sysxxxd vulnerability <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu distributions due to sysxxxd's new DNS resolver. The inclusion of the dns resolver was lamented by many on the mailing list <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>, not without cause. All are advised to update their distribution./ New features include(**) -taking over glibc library functions gethostbyname & getaddrinfo in nsswitch to redirect dns calls into sysd's version -changes /etc/resolv.conf creating race conditions with various SW packages. leading to inconsistent address resolution - turns DNS requests into XML requests fed over the sysdbus for requests and answers, duplicating DNS protocol handling code requiring sysd to keep up with DNS changes. - does forwarding-only & relies on DHCP for a full DNS server stripping off DNS security records in the process so sysd-local changes can't be detected by local applications. - scans for its own group of DNS servers on all interfaces and sends out DNS queries on all ports using "first-received" answers vs. authoritative answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned DNS info. - believed not to handle split DNS schemes needed for VPN setups to work correctly. (**- https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html) Apparently sysd's DNS changes haven't gone over well in terms of interoperability w/existing DNS -- a persistent theme as sysd takes on a new system function/area. _I_ have more than a little anxiety over the idea that all alternate DNS solutions will be thrown out.. comments? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:
Warning! This could be alot of "nonsense" and be a potentially reactive topic. Please don't escalate things emotionally or no one will ever understand what the facts are.
That said, I see some trends/repeated behavior+history consistent with sysd's expansion into other OS functions, so I see no reason to completely disbelieve some of the statements I've read or try to summarize below.
Does anyone know what's happening in OpenSUSE related to this? Will it be generating the same types of instability and problems?
Will opensuse still support other DNS resolvers (bind/named, dnsmasq, etc) even if they are incompatible with new sysd operation?
/There is a sysxxxd vulnerability <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu distributions due to sysxxxd's new DNS resolver. The inclusion of the dns resolver was lamented by many on the mailing list <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>, not without cause. All are advised to update their distribution./
New features include(**)
-taking over glibc library functions gethostbyname & getaddrinfo in nsswitch to redirect dns calls into sysd's version
-changes /etc/resolv.conf creating race conditions with various SW packages. leading to inconsistent address resolution
- turns DNS requests into XML requests fed over the sysdbus for requests and answers, duplicating DNS protocol handling code requiring sysd to keep up with DNS changes.
- does forwarding-only & relies on DHCP for a full DNS server stripping off DNS security records in the process so sysd-local changes can't be detected by local applications.
- scans for its own group of DNS servers on all interfaces and sends out DNS queries on all ports using "first-received" answers vs. authoritative answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned DNS info.
- believed not to handle split DNS schemes needed for VPN setups to work correctly.
(**- https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)
Apparently sysd's DNS changes haven't gone over well in terms of interoperability w/existing DNS -- a persistent theme as sysd takes on a new system function/area.
_I_ have more than a little anxiety over the idea that all alternate DNS solutions will be thrown out..
comments? Tumbleweed 's already on versionn 233, my bet is that the patch will be backported to Leap's 228 version.
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello! As I remember, openSUSE uses two network management frameworks -- Wicked (by default) and NetworkManager (as an alternative). Systemd network management subsystem is not in use and it is absent in SUSE's systemd assembly. I'm not aware about Tumbleweed ( with systemd v233), but Leap (systemd v228) has no native systemd network subsystem exactly. I suppose, Tumbleweed also doesn't contain systemd network subsystem, if there are no other plans somewhere for it. Hence, Leap 42.x is not vulnerable by default. 28.06.2017 23:59, Knurpht - Gertjan Lettink пишет:
Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:
Warning! This could be alot of "nonsense" and be a potentially reactive topic. Please don't escalate things emotionally or no one will ever understand what the facts are.
That said, I see some trends/repeated behavior+history consistent with sysd's expansion into other OS functions, so I see no reason to completely disbelieve some of the statements I've read or try to summarize below.
Does anyone know what's happening in OpenSUSE related to this? Will it be generating the same types of instability and problems?
Will opensuse still support other DNS resolvers (bind/named, dnsmasq, etc) even if they are incompatible with new sysd operation?
/There is a sysxxxd vulnerability <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu distributions due to sysxxxd's new DNS resolver. The inclusion of the dns resolver was lamented by many on the mailing list <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>, not without cause. All are advised to update their distribution./
New features include(**)
-taking over glibc library functions gethostbyname & getaddrinfo in nsswitch to redirect dns calls into sysd's version
-changes /etc/resolv.conf creating race conditions with various SW packages. leading to inconsistent address resolution
- turns DNS requests into XML requests fed over the sysdbus for requests and answers, duplicating DNS protocol handling code requiring sysd to keep up with DNS changes.
- does forwarding-only & relies on DHCP for a full DNS server stripping off DNS security records in the process so sysd-local changes can't be detected by local applications.
- scans for its own group of DNS servers on all interfaces and sends out DNS queries on all ports using "first-received" answers vs. authoritative answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned DNS info.
- believed not to handle split DNS schemes needed for VPN setups to work correctly.
(**- https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)
Apparently sysd's DNS changes haven't gone over well in terms of interoperability w/existing DNS -- a persistent theme as sysd takes on a new system function/area.
_I_ have more than a little anxiety over the idea that all alternate DNS solutions will be thrown out..
comments? Tumbleweed 's already on versionn 233, my bet is that the patch will be backported to Leap's 228 version.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
29.06.2017 01:17, Mikhail Kasimov пишет:
Systemd network management subsystem is not in use and it is absent in SUSE's systemd assembly.
It is present but service is not enabled by default. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Weird... My Leap system: ======= k_mikhail@linux-mk500:~> systemctl status systemd-networkd.service ● systemd-networkd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) k_mikhail@linux-mk500:~> systemctl status networkd.service ● networkd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) ======= 29.06.2017 06:18, Andrei Borzenkov пишет:
29.06.2017 01:17, Mikhail Kasimov пишет:
Systemd network management subsystem is not in use and it is absent in SUSE's systemd assembly. It is present but service is not enabled by default.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
29.06.2017 11:16, Mikhail Kasimov пишет:
Weird... My Leap system:
=======
k_mikhail@linux-mk500:~> systemctl status systemd-networkd.service ● systemd-networkd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
k_mikhail@linux-mk500:~> systemctl status networkd.service ● networkd.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
=======
indeed, I was on TW when writing it. Sorry.
29.06.2017 06:18, Andrei Borzenkov пишет:
29.06.2017 01:17, Mikhail Kasimov пишет:
Systemd network management subsystem is not in use and it is absent in SUSE's systemd assembly. It is present but service is not enabled by default.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/28/2017 03:49 PM, L A Walsh wrote:
_I_ have more than a little anxiety over the idea that all alternate DNS solutions will be thrown out..
comments?
The key is you don't have to use it. I have 2 Arch servers, running current systemd 232-8, but I use bind 9 w/dyndns update from dhcpcd with a normal /etc/resolv.conf generated by the resolvconf package. No problems, no issues. (same setup w/systemD for at least last 4 years) A couple of good pages to look at alternative configs are: https://wiki.archlinux.org/index.php/Network_configuration#Network_managers and https://wiki.archlinux.org/index.php/Systemd-networkd There will be many more systemD growing pains to come, you just have to have a strategy to weather the storm. The discussion links shows a lot of debate, consideration and criticisms, but in the end, somebody has to make the call. For better or for worse, that's freedesktop.org right now. systemD could be scrapped tomorrow over the 'next latest and greatest systemE` and foisted upon us all by the distros. That's well above the openSuSE list pay-grade, but your question on what will openSuSE do for a default config is right on the money. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/06/17 01:54 AM, David C. Rankin wrote:
The key is you don't have to use it.
Indeed. While the initial justification for systemd replacing (much of) SysVInit made sense, Linda has a point when she says that the developers are on a roll now trying to consume subsystems that operate perfectly well. The issue isn't that here is a regular Bind9 and corresponding DHCP but there are alternatives as well. This is FOSS. I've used Bing9. Somewhere out there on a backup is the config (though why it couldn't be in /etc/ I don't know), but right now I run DNSMASQ. YMMV. Is DNSMASQ 'non standard'? Well, that's arguable. It doesn't use the Bind9 config files and while it can comnsume /etc/resolv.conf and/etc/hosts in the same way that I expect the systemd version will via transformation to unit files the way it does /etc/fstab at present, it has never tried taking over anything else. The thing about systemd, as David points out, is that it's compartmentalized. I may _start_ DNSMASQ (asynchronously but with dependencies) using a systemd unit file just like I start APACHE (my web server of choice among the many available) using a systemd unit file. But all that is start-up. I'm not using systemd itself as a web server. Could I? I'd be interested in finding out, perhaps experimenting ... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Andrei Borzenkov -
Anton Aylward -
David C. Rankin -
Knurpht - Gertjan Lettink -
L A Walsh -
Mikhail Kasimov