Presentation: systemd-resolved as the default DNS resolver
What is missing to enable resolved with DNSSEC on all systemd installations?
The DNSSEC functionality in systemd-resolved is complete enough for early adopters. The D-Bus API is very flexible and allows rich functionality to be exposed to clients in a convenient and secure manner. Ability to enable/disable DNSSEC mode for individual queries allows captive portals to be handled nicely. Caching makes local clients fast. But there are also some unresolved issues: we don't have support for DNSSEC root key rollover, caching can leak information between clients, queries are sometimes sent to too many servers, leaking information, systemd-resolved is not the default in Fedora. This talk will discuss current status of the systemd DNS stack — what is implemented, what bugs are open — and what is planned in the near future — and what else is required for universal adoption.
After discussing status quo and the near future, I want to start a discussion on what kind of functionality is missing, and what bugs (if any) are the most pressing for the audience.