I have filled already MR on systemd, which includes some details: https://github.com/systemd/systemd/pull/28263
I think multicast resolution like LLMNR or mDNS should not be enabled by default. Unfortunately it is in f37 and f38 server edition. I think it would be nice to reconsider disabling them on existing release.
But it must be disabled on upcoming release IMO. That protocol were deprecated even by MS. What is worse, it breaks some normal unicast queries.
I expect servers are deployed in environment without local DNS very rarely, if ever. I think people are much more often hitting regressions caused by systemd-resolved implementation than actually using llmnr enabled by default.
I think we want llmnr disabled in all fedora releases. But especially servers should be ready to use and deploy DNSSEC, which bugs in systemd-resolved are preventing.
Metadata Update from @pboy: - Issue assigned to pboy
Sorry for my late picking up this issue.
What is the current state ot this in systemd and in Fedora? Isn't it already disabled or am I remembering it wrong?
I myself can't fully evaluate all the technical details. I'm not familiafr enough with that. I can only rely on Fedora's technical experts (and so far it has always worked well).
systemd-resolved is still enabled by default, also with LLMNR enabled by default. Regardless of what edition it is, whether Workstation, Server or IoT. I think the only installation where it should be even considered is Workstation edition.
Multicast resolution enabled by default might have privacy implications, especially on networks, which you do not fully trust. Because answers are accepted from any network device, not only trusted devices explicitly specified by network operator.
I have filled two bugs: - Disable LLMNR resolution on Servers - Disable LLMNR resolution on Workstation
No progress have been observed on them. I think LLMNR is enabled on Windows, only if the interface connected has been set to trusted network type. By default it is to Public (network) I think, where LLMNR resolution is disabled by default.
I think we would like such approach for Workstation, but I think on Server it is more appropriate to have it disabled always. Let administrator enable it if they need it.
Thanks for the info! I put it on our next Working group meeting Wednesday Jan 17 and announce it on our mailing list.
Metadata Update from @pboy: - Issue tagged with: meeting
Metadata Update from @pboy: - Issue untagged with: meeting
Log in to comment on this ticket.