Hi,
I am writing looking for some help with a setup where the local lan has
a machine with knot resolver and some of the hosts that are connected to
the LAN are ubuntu machines that by default use systemd-resolved as a
local caching stub resolver. For some reasons this combination appears
troublesome and I am trying to undestand all the reasons why.
One issue has already been identified as a systemd-resolved, in the
ubuntu focal version getting confused by a (correct) answer from kresd
(discussion on
https://gitlab.nic.cz/knot/knot-resolver/-/issues/686#note_234431).
Now, I find another issue in that I do not appear successful in making
systemd-resolved talk to kresd over tls. This would be important
because most of the ubuntu focal hosts are setup with systemd-resolved
using opportunistic tls. If systemd-thinks that there is a problem with
contacting the current DNS server via tls then it switches to the
fallback server and kresd ends up not being used at all.
If I use `resolvectl` to set the DNS of an ubuntu host to point to the
machine with kresd and I activate DNSoverTLS, then I get:
resolvectl query
lwn.net
lwn.net: resolve call failed: All attempts to contact name servers or
networks failed
Similarly, if I user resolvectl to set to use opportunistic DNSoverTLS,
things seem to work, but I see on the journal some messages about
Using degraded feature set UDP for DNS server
Thus, I'd be glad to get some pointer at how to check that DNS over TLS
works correctly with kresd and how to verify why systemd-resolved fails.
Thanks!
Sergio