Description
Background
I checked with a few Chatmail operators and there is a mixed experience of having systemd-resolved installed. This is an optional service that manages /etc/resolv.conf. As long as it is installed it can override the values in /etc/resolv.conf.
From what I can tell cmdeploy does not directly manage /etc/resolv.conf so I do not know how 127.0.0.1 is getting in there.
relay/cmdeploy/src/cmdeploy/__init__.py
Lines 588 to 607 in 5ba99dc
Simply installing and enabling the unbound service does not trigger systemd-resolved to do anything. If you really want to use systemd-resolved the correct thing to do would be to create a file like /etc/systemd/resolved.conf.d/unbound.conf with the following contents:
[Resolve]
DNS=127.0.0.1
DNSSEC=yes
And then trigger a restart of the systemd-resolved service. This will guarantee that the nameserver 127.0.0.1 line is added to the file as the first/primary nameserver while retaining the default ones that were provided by DHCP. There is another step that also need to be taken:
/etc/resolvconf/update.d/unbound should have its executable bit removed so this hook does not execute, otherwise it will override the Unbound config and force it to forward queries to the DHCP resolvers instead of doing full recursion from the root nameservers. You risk losing DNSSEC as a result which is still important for us as we validate DKIM.
Recommendation
There isn't a clear need for the additional capabilities that systemd-resolved provides. I suggest we remove the package and directly manage the contents of /etc/resolv.conf so we are confident what the behavior is. Either way we should be more explicit about how the DNS resolvers are configured as not all servers appear to have systemd-resolved installed.