Rendered at 04:35:51 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
gucci-on-fleek 2 days ago [-]
What's the server's hostname? If it's the same as the domain that's not working, perhaps you're running into this bug [0]? If that's the case, then adding
There's this adage about consuming whatever newspaper reporting, everything seems fine and dandy, until one day they report on something in your field. Say, chemistry, and you're a chemist, and... it's all wrong. Even the basics.
My field is networking, roughly from Ethernet physicals to TCP/UDP.
systemd has no f*cking clue what they're doing on networking. You need to not use systemd-resolved, and not use systemd-networkd or systemd-timesyncd either.
I really hope they are service manager people and know how to write a service manager, and I have no counterindications on that. But don't let them touch your networking, aside from service-managing on that.
(My recommendation for DNS - on servers - would be to install unbound locally and use that. It's not great for clients since it doesn't deal well with frequently changing network connectivity, or rather, it does, but only if you restart it on network attachment change, which implies flushing all cached data.)
gucci-on-fleek 2 days ago [-]
> systemd has no f*cking clue what they're doing on networking. You need to not use systemd-resolved, and not use systemd-networkd or systemd-timesyncd either.
Can you give some more details, or do you have some examples of where systemd is bad here? Because I'm quite happy with systemd-resolved and systemd-networkd, but I admittedly know hardly anything about networking.
> [...] But don't let them touch your networking, aside from service-managing on that.
What do you recommend as an alternative then? systemd-resolved and systemd-timesyncd are easy to replace, since there is lots of good DNS/NTP software available, but systemd-networkd seems trickier: I don't like NetworkManager, I'd rather not write a bunch of ad-hoc shell scripts, and I'm not aware of any other alternatives.
eqvinox 2 days ago [-]
> Can you give some more details, or do you have some examples of where systemd is bad here?
I can't, because it's death by a thousand cuts. I remember systemd-timesyncd having security issues, but not what exactly. systemd-resolved was initially missing basic security best practices (source port randomization, if I remember correctly), despite their being well established and well known in the DNS community - AFAIK the systemd people just didn't know of them.
> systemd-networkd seems trickier
Indeed; I was primarily speaking about servers, and there my answer is: either ifupdown-ng or ifupdown2. (The latter if your networking needs are more complex.)
On client devices the choice is between bad and worse. Personally speaking, I consider NetworkManager bad and systemd-networkd worse. So I'm using NetworkManager on my laptop... it still occasionally breaks IPv6 for me.
I will admit: this is burned-in experience for me, learned over several years, and the original reasons have expired from my brain's cache. And I probably didn't give systemd-networkd much of a chance (I don't remember anything on that, for resolved and timesyncd I have at least vague bits), with that being more recent (at least for me) than systemd-resolved and systemd-timesyncd.
Is it possible it has gotten better? Definitely. But TFA indicates at least systemd-resolved hasn't.
justsomehnguy 2 days ago [-]
> systemd-resolved was initially missing basic security best practices (source port randomization, if I remember correctly), despite their being well established and well known in the DNS community
As the first paragraph states it's not a big problem for a local forwarder but all other bullet points are on the case.
fsflover 2 days ago [-]
A lot of knowledgeable people hate systemd, and I start suspecting that they have good reasons for that. However, it's extremely hard to get a good list of related substantiated facts about systemd in order to convince a larger community. If you encounter something specific, please write some kind of article about it.
eqvinox 2 days ago [-]
You're right in that I should really be able to back my position up better. I don't know if/when a situation where I have to deal with the systemd network components will come up though :/
justsomehnguy 2 days ago [-]
> in order to convince a larger community
Even if you would get such a list it would be dismissed anyway, because 'works on my machine'. Eg: see a sibling response to the OP.
vga1 2 days ago [-]
If I ever have a networking problem in a personal Linux system, it gets solved by removing the weird networking thing that the distro decided to use and move to full systemd-resolved / networkd. In my experience, that works every time.
I'm not doubting commenter's expertise. It's entirely possible that resolved and networkd are utter horror inside but still work from at least this user's POV.
kotaKat 2 days ago [-]
hot take "predictable network names" should have been a kernel flag - give us all our eth0 in peace. i shouldn't need to set a flag to get back a default feature.
just what i needed to do: configure ens328452356aflhjdslhfda to get my network going.
nubinetwork 2 days ago [-]
ln -s /dev/null /etc/systemd/network/99-default.link
Or
net.ifnames=0
Take your pick...
kotaKat 18 hours ago [-]
net.ifnames=0 should be the default: if someone needs it to be the stupid ENS nonsense, they should be the ones forced to set it to 1 at the command line, not me.
2 days ago [-]
ChocolateGod 2 days ago [-]
> hot take "predictable network names" should have been a kernel flag - give us all our eth0 in peace. i shouldn't need to set a flag to get back a default feature.
No, because the feature being on by default does nothing but make your interface names longer, but being off can be the difference between a restarted server having or not having network access because of undocumented behaviour with it's firmware causing the network interfaces to come up in different orders.
bcrl 2 days ago [-]
Personally, I find the predictable network names feature infuriating 100% of the time. Changing the name of network interfaces made nothing better, and actively made things worse for systems with a single NIC (virtually none of the systems I use with a single nic use the same name). Network interface configurations could already be bound to MAC addresses rather than names, and that had been implemented even before the enpXXX style names came into being.
Persistent ethX names were far better to me, and we had those before enpXXX via udev. At least then when I logged into a random system with a single NIC it was called eth0. With 2 NICs they were eth0 and eth1. Simple to predict, no thinking required (unless the system already had bound those names to other MAC addresses).
Usability dies by a thousand cuts. Forcing needlessly complex behaviour onto people with simple use-cases is not an improvement.
ChocolateGod 1 days ago [-]
< Persistent ethX names were far better to me
They weren't persistent, that was the problem.
JackSlateur 18 hours ago [-]
eth0 is predictable: a given system will always have the same interface for the same physical hardware
enp0s31f6 is unpredictable
The whole operation is a lie!
quectophoton 2 days ago [-]
> My recommendation for DNS - on servers - would be to install unbound locally and use that.
At least on Ubuntu 26.04, you can't easily bind Unbound on a WireGuard interface because of services dependency order, so the Unbound service errors during system boot because the WireGuard interface doesn't exist yet. And IIRC neither `ip-transparent` nor `interface-automatic` fixed it.
On Alpine Linux all this just works.
farfatched 2 days ago [-]
> There's this adage about consuming whatever newspaper reporting, everything seems fine and dandy, until one day they report on something in your field. Say, chemistry, and you're a chemist, and... it's all wrong. Even the basics.
> systemd has no fcking clue what they're doing on networking. You need to not use systemd-resolved, and not use systemd-networkd or systemd-timesyncd either.
I'm not sure how to reconcile that with enjoying each of those:
systemd-resolved is the default on many distributions, and does DNS-over-TLS stub resolution for me. What do you suggest as an alternative that handles changing network connectivity, and DoT?
* systemd-networkd is very well documented/organised. I find it pretty useful on servers.
* systemd-timesyncd doesn't seem to cause issues for me. It being an SNTP client (rather than NTP) seems appropriate for distributions. I would like to move to NTS or Roughtime at some point.
justsomehnguy 2 days ago [-]
> My recommendation for DNS - on servers - would be to install unbound locally and use that
And now your developers are running around and cursing you because nothing works anymore.
Because Docker silently retargets the interna Docker resolver to 8.8.8.8 if it sees 127.0.0.1 as a resolver address on the host.
Because people who wrote Docker have no fucking clue how the system works.
> It's not great for clients since it doesn't deal well with frequently changing network connectivity
This is is something Linux specific I guess, I run Unbound locally on my Windows laptops for years and never had a problem which would require the Unbound restart.
> which implies flushing all cached data
It doesn't really matters in 2026. Just look in your cache and note the default TTLs for like 90% of records.
eqvinox 2 days ago [-]
Running on 127.0.0.53 isn't a systemd-resolved exclusive magic trick, you can just configure unbound to do the same thing.
justsomehnguy 1 days ago [-]
Not 127/8
eqvinox 1 days ago [-]
?
justsomehnguy 20 hours ago [-]
You need to configure your resolver to anything but 127.0.0.0/8 to not to trigger Docker automatic "help".
Most of the time local resolver is bound to 127.0.0.1 just because it shouldn't be available from the network and because this is how it's always done.
The problem is what Docker actually silently break things because it's devs are too good to bother, the same thing you note about systemd devs.
Hell, it was easier to just provide internal Docker resolver on a some network Docker uses internally by default for the NAT shenanigans - but Docker devs 'knew better' and instead made it to point to a 3rd-party absolutely not related service which brokes local resolution on the containers.
eqvinox 9 hours ago [-]
Want to know a really cursed dirty little magic trick?
(as root:)
ip route add table local local 8.8.8.8/32 dev lo
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
cat <<EOF >/etc/unbound/unbound.conf.d/steal-8.8.8.8.conf
server:
interface: 8.8.8.8
EOF
service unbound restart
(before anyone asks: you don't just go add 8.8.8.8/32 as an address on lo because then that's a valid source address the system might use to send traffic out. Not having it as an actual address is the point of this trickery. Also this will work with most DNS caches, doesn't need to be unbound.)
And to be clear: I said "cursed dirty" and I mean "cursed dirty".
justsomehnguy 6 hours ago [-]
Yikes. Container resolving is still broken though.
eqvinox 5 hours ago [-]
Not if your containers are L3 routed through the host ;)
(Or did you mean resolving the names of the containers? That'd be handled through unbound-control local_data)
zaphirplane 2 days ago [-]
Some docker issues archaeology says that there was tension between docker team and redhat / systemd
burnt-resistor 2 days ago [-]
That's probably why podman exists.
ChocolateGod 2 days ago [-]
It is why Podman exists.
justsomehnguy 1 days ago [-]
Yes?
RH wanted to control the stack and Docker was the thing what sidelined RH to a mere distro provider. And don't forget about RH dips into OpenStack at that time.
Was there? I see 14 comments, of which only 3 have any value at all which are: fanf finding an irrelevant bug, oliverpool explaining the use of LetsEncrypt staging, and hexadecimal suggesting setting up expiration alerts.
The rest is:
- People bitching about systemd and replies to their bitching totaling 7 posts (literally half the comments)
- conversational detritus like "well written blog post" and the whiteboard comment
[0]: https://github.com/systemd/systemd/issues/34897#issuecomment...
My field is networking, roughly from Ethernet physicals to TCP/UDP.
systemd has no f*cking clue what they're doing on networking. You need to not use systemd-resolved, and not use systemd-networkd or systemd-timesyncd either.
I really hope they are service manager people and know how to write a service manager, and I have no counterindications on that. But don't let them touch your networking, aside from service-managing on that.
(My recommendation for DNS - on servers - would be to install unbound locally and use that. It's not great for clients since it doesn't deal well with frequently changing network connectivity, or rather, it does, but only if you restart it on network attachment change, which implies flushing all cached data.)
Can you give some more details, or do you have some examples of where systemd is bad here? Because I'm quite happy with systemd-resolved and systemd-networkd, but I admittedly know hardly anything about networking.
> [...] But don't let them touch your networking, aside from service-managing on that.
What do you recommend as an alternative then? systemd-resolved and systemd-timesyncd are easy to replace, since there is lots of good DNS/NTP software available, but systemd-networkd seems trickier: I don't like NetworkManager, I'd rather not write a bunch of ad-hoc shell scripts, and I'm not aware of any other alternatives.
I can't, because it's death by a thousand cuts. I remember systemd-timesyncd having security issues, but not what exactly. systemd-resolved was initially missing basic security best practices (source port randomization, if I remember correctly), despite their being well established and well known in the DNS community - AFAIK the systemd people just didn't know of them.
> systemd-networkd seems trickier
Indeed; I was primarily speaking about servers, and there my answer is: either ifupdown-ng or ifupdown2. (The latter if your networking needs are more complex.)
On client devices the choice is between bad and worse. Personally speaking, I consider NetworkManager bad and systemd-networkd worse. So I'm using NetworkManager on my laptop... it still occasionally breaks IPv6 for me.
I will admit: this is burned-in experience for me, learned over several years, and the original reasons have expired from my brain's cache. And I probably didn't give systemd-networkd much of a chance (I don't remember anything on that, for resolved and timesyncd I have at least vague bits), with that being more recent (at least for me) than systemd-resolved and systemd-timesyncd.
Is it possible it has gotten better? Definitely. But TFA indicates at least systemd-resolved hasn't.
https://lists.dns-oarc.net/pipermail/dns-operations/2016-Jun...
It was fixed in 2016. RFC5452 is 2009.
As the first paragraph states it's not a big problem for a local forwarder but all other bullet points are on the case.
Even if you would get such a list it would be dismissed anyway, because 'works on my machine'. Eg: see a sibling response to the OP.
I'm not doubting commenter's expertise. It's entirely possible that resolved and networkd are utter horror inside but still work from at least this user's POV.
just what i needed to do: configure ens328452356aflhjdslhfda to get my network going.
No, because the feature being on by default does nothing but make your interface names longer, but being off can be the difference between a restarted server having or not having network access because of undocumented behaviour with it's firmware causing the network interfaces to come up in different orders.
Persistent ethX names were far better to me, and we had those before enpXXX via udev. At least then when I logged into a random system with a single NIC it was called eth0. With 2 NICs they were eth0 and eth1. Simple to predict, no thinking required (unless the system already had bound those names to other MAC addresses).
Usability dies by a thousand cuts. Forcing needlessly complex behaviour onto people with simple use-cases is not an improvement.
They weren't persistent, that was the problem.
enp0s31f6 is unpredictable
The whole operation is a lie!
At least on Ubuntu 26.04, you can't easily bind Unbound on a WireGuard interface because of services dependency order, so the Unbound service errors during system boot because the WireGuard interface doesn't exist yet. And IIRC neither `ip-transparent` nor `interface-automatic` fixed it.
On Alpine Linux all this just works.
Gell-Mann amnesia effect: https://en.wiktionary.org/wiki/Gell-Mann_Amnesia_effect
> systemd has no fcking clue what they're doing on networking. You need to not use systemd-resolved, and not use systemd-networkd or systemd-timesyncd either.
I'm not sure how to reconcile that with enjoying each of those:
systemd-resolved is the default on many distributions, and does DNS-over-TLS stub resolution for me. What do you suggest as an alternative that handles changing network connectivity, and DoT?* systemd-networkd is very well documented/organised. I find it pretty useful on servers.
* systemd-timesyncd doesn't seem to cause issues for me. It being an SNTP client (rather than NTP) seems appropriate for distributions. I would like to move to NTS or Roughtime at some point.
And now your developers are running around and cursing you because nothing works anymore.
Because Docker silently retargets the interna Docker resolver to 8.8.8.8 if it sees 127.0.0.1 as a resolver address on the host.
Because people who wrote Docker have no fucking clue how the system works.
NB: see https://news.ycombinator.com/item?id=47441785 to solve the Docker issue with a local resolver.
> It's not great for clients since it doesn't deal well with frequently changing network connectivity
This is is something Linux specific I guess, I run Unbound locally on my Windows laptops for years and never had a problem which would require the Unbound restart.
> which implies flushing all cached data
It doesn't really matters in 2026. Just look in your cache and note the default TTLs for like 90% of records.
Most of the time local resolver is bound to 127.0.0.1 just because it shouldn't be available from the network and because this is how it's always done.
The problem is what Docker actually silently break things because it's devs are too good to bother, the same thing you note about systemd devs.
Hell, it was easier to just provide internal Docker resolver on a some network Docker uses internally by default for the NAT shenanigans - but Docker devs 'knew better' and instead made it to point to a 3rd-party absolutely not related service which brokes local resolution on the containers.
(as root:)
(before anyone asks: you don't just go add 8.8.8.8/32 as an address on lo because then that's a valid source address the system might use to send traffic out. Not having it as an actual address is the point of this trickery. Also this will work with most DNS caches, doesn't need to be unbound.)And to be clear: I said "cursed dirty" and I mean "cursed dirty".
(Or did you mean resolving the names of the containers? That'd be handled through unbound-control local_data)
RH wanted to control the stack and Docker was the thing what sidelined RH to a mere distro provider. And don't forget about RH dips into OpenStack at that time.
The rest is: