It needs to be possible to tell apart "the nss-resolve module does not exist"
(which can happen when running foreign-architecture programs) from "the queried
DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these
cases too, and only keep UNAVAIL for the cases where we cannot handle the given
address family.
This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage.
This does not change behaviour if resolved is not running, as that already
falls back to the "dns" glibc module.
Fixes #4157
group: compat mymachines systemd
shadow: compat
-hosts: files mymachines <command>resolve</command>
+hosts: files mymachines <command>resolve [!UNAVAIL=return]</command> dns
networks: files
protocols: db files
netgroup: nis</programlisting>
+ <para>This keeps the <command>dns</command> module as a fallback for cases where the <command>nss-resolve</command>
+ module is not installed.</para>
</refsect1>
<refsect1>
}
fail:
+ /* When we arrive here, resolved runs and has answered (fallback to
+ * "dns" is handled earlier). So we have a definitive "no" answer and
+ * should not fall back to subsequent NSS modules via "UNAVAIL". */
*errnop = -r;
*h_errnop = NO_RECOVERY;
- return NSS_STATUS_UNAVAIL;
+ return NSS_STATUS_NOTFOUND;
}
enum nss_status _nss_resolve_gethostbyname3_r(
fail:
*errnop = -r;
*h_errnop = NO_RECOVERY;
- return NSS_STATUS_UNAVAIL;
+ return NSS_STATUS_NOTFOUND;
}
enum nss_status _nss_resolve_gethostbyaddr2_r(
fail:
*errnop = -r;
*h_errnop = NO_RECOVERY;
- return NSS_STATUS_UNAVAIL;
+ return NSS_STATUS_NOTFOUND;
}
NSS_GETHOSTBYNAME_FALLBACKS(resolve);
projects / thirdparty / systemd.git / commitdiff
