Bug 85397

Summary: systemd-resolved: domain and search lines missing from resolv.conf
Product: systemd Reporter: Arno Schuring <aelschuring>
Component: generalAssignee: systemd-bugs
Status: RESOLVED NOTABUG QA Contact: systemd-bugs
Severity: normal    
Priority: medium CC: bernardo.reino, flokli, kavafree, mgorny, mika.fischer, phireph0x, techniq35, xorpaul
Version: unspecified   
Hardware: x86-64 (AMD64)   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Arno Schuring 2014-10-24 08:57:52 UTC
(forwarded from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766413)

It seems systemd-resolved (Debian version 215-5) is not writing any domain suffixes into its resolv.conf file:

$ cat netif/leases/4:
# This is private data. Do not parse.
ADDRESS=172.22.15.58
NETMASK=255.255.255.0
ROUTER=172.22.15.5
SERVER_ADDRESS=172.22.15.5
NEXT_SERVER=0.0.0.0
DNS=172.22.21.5 172.22.21.7
NTP=172.22.21.5 172.22.21.19
DOMAINNAME=intra.loos.site
$ cat resolve/resolv.conf
# This file is managed by systemd-resolved(8). Do not edit.
#
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.

nameserver 172.22.21.5
nameserver 172.22.21.7
nameserver 172.22.21.5
# Too many DNS servers configured, the following entries may be ignored
nameserver 172.22.21.7
nameserver 2a01:4f8:161:4109::6
nameserver 2001:4ba0:cafe:383::1
nameserver 2a00:1768:1005:1000:1000:1000:e621:4948

It also seems that systemd-networkd is not writing out any SEARCH directives either, as my dhcpd.conf contains the following:
   option domain-name "intra.loos.site";
   option domain-search "loos.site";
I would have expected to see both domains present in the netif/leases file. This works fine with both ISC's dhcp client and Busybox' udhcp.

Finally, it would be nice if resolved would notice duplicate nameservers on
separate interfaces (wireless and wired in my case) and not write them out
twice.
Comment 1 Zbigniew Jedrzejewski-Szmek 2014-10-30 23:52:53 UTC
Please retest with systemd-217. There were various fixes post 215.

Commit 87f5a19343acf8ba697acc5a62bdb1a2b8c9eda3 should fix the duplicate servers at least.
Comment 2 Arno Schuring 2014-11-08 11:37:14 UTC
That's going to have to wait a while, as this is my work machine and I don't feel comfortable recompiling PID1 on that. I'll see if Debian can provide a newer version in experimental, but I suspect the maintainers have other priorities right now, given Debian's release freeze.
Comment 3 Arno Schuring 2014-11-08 22:49:54 UTC
Using current git HEAD, -networkd is still not writing out any domain search lists into its leases file. Starting systemd-resolved fails to start entirely with no errors logged, but starting it manually (as root) gives the following error messages:

Using system hostname '$(hostname)'.
Failed to register name: Permission denied
Could not create manager: Permission denied

All releases after 215 have this same behaviour. Note that I tested this with 215 still running as PID1, I did not replace any of the binaries on the system except for the -networkd and -resolved daemons. That may be why newer -resolved versions failed to start, but that is not obvious to me from the output.
Comment 4 Arno Schuring 2014-11-08 22:53:37 UTC
(In reply to Arno Schuring from comment #3)
> Starting systemd-resolved fails to start entirely with no errors logged

For clarity, I meant "starting systemd-resolved as a service", i.e. installing the newly compiled binary over the original one in /lib/systemd, then issuing systemctl start systemd-resolved.
Comment 5 Lennart Poettering 2014-11-10 19:21:44 UTC
(In reply to Arno Schuring from comment #3)

> entirely with no errors logged, but starting it manually (as root) gives the
> following error messages:
> 
> Using system hostname '$(hostname)'.
> Failed to register name: Permission denied
> Could not create manager: Permission denied
> 
> All releases after 215 have this same behaviour. Note that I tested this
> with 215 still running as PID1, I did not replace any of the binaries on the
> system except for the -networkd and -resolved daemons. That may be why newer
> -resolved versions failed to start, but that is not obvious to me from the
> output.

You need to install the dbus policy file for resolved as well, the binary alone won't be enough.
Comment 6 Arno Schuring 2014-11-17 19:03:24 UTC
(In reply to Lennart Poettering from comment #5)
>
> You need to install the dbus policy file for resolved as well, the binary
> alone won't be enough.

Thanks, that helps. With that change (copying src/resolve/org.freedesktop.resolve1.conf to /etc/dbus/system.d/), the -resolved from HEAD starts without issue, however it still doesn't write any domain or search lists. It makes no difference which -networkd I use.

I'm not at home so I can't test the duplicate name servers issue, but I do notice this:

$ grep ^DNS /run/systemd/netif/leases/* /etc/systemd/resolved.conf 
/run/systemd/netif/leases/4:DNS=10.52.0.10 10.0.0.23 10.0.0.17
/etc/systemd/resolved.conf:DNS=2a01:4f8:161:4109::6 2001:4ba0:cafe:383::1
$ cat /etc/resolv.conf 
# This file is managed by systemd-resolved(8). Do not edit.
#
# Third party programs must not access this file directly, but
# only through the symlink at /etc/resolv.conf. To manage
# resolv.conf(5) in a different way, replace the symlink by a
# static file or a different symlink.

nameserver 10.0.0.23
nameserver 2001:4ba0:cafe:383::1
nameserver 10.0.0.17
# Too many DNS servers configured, the following entries may be ignored.
nameserver 2a01:4f8:161:4109::6
nameserver 10.52.0.10

That is, the current HEAD version reorders the nameserver list. It mixes dhcp-provided resolvers with static ones, and it puts the local dns server last, even though it was listed first in the dhcp answer.
Comment 7 Lennart Poettering 2014-12-09 00:34:39 UTC
*** Bug 85555 has been marked as a duplicate of this bug. ***
Comment 8 Ridai Govinda Pombo 2015-01-30 02:20:04 UTC
Its still happening on 218. Will it have a fix soon?
Comment 9 phireph0x 2015-03-22 04:48:22 UTC
I can confirm that this bug still exists in Arch Linux ARM, running systemd 218-2.
Comment 10 Anton Leontiev 2015-05-13 09:45:02 UTC
Does not confirm issue on ArchLinux x86_64, systemd 219-6. Did you add "UseDomains = yes" to "[DHCP]" section in /etc/systemd/network/your.network? Without it resolved did not add domain suffixes.
Comment 11 Mika Fischer 2015-05-13 09:52:08 UTC
Can also confirm that this is fixed by setting "UseDomains" to true.

I wonder why this is not enabled by default.
Comment 12 Zbigniew Jedrzejewski-Szmek 2015-05-18 11:28:58 UTC
It defaults to off, because of security considerations.

When 'domain' or 'search' are set, the resolver will attempt to resolve any name using it. In principle this a rogue dns server to spoof domain names.

But rereading things again, I think the concern is overstated, and we can safety set UseDomains=yes by default. I'll continue the thread on the mailing list.
Comment 13 Zbigniew Jedrzejewski-Szmek 2015-05-19 02:36:38 UTC
OK, we discussed it a bit on the mailing list [https://www.mail-archive.com/systemd-devel@lists.freedesktop.org/msg31563.html]:

> Altering the search paths is inherently something that makes no sense 
> on public networks, it only makes sense if you know your network well, 
> and trust it to some level. Hence opt-in sounds like the better option

Documentation is extended a bit to make this more visible:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=e88d8021ba.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.