From ce266330fc3bd6767451ac3400336cd9acebe9c1 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Thu, 1 Jul 2021 22:11:27 +0200 Subject: [PATCH 1/2] man: stop recommending putting myhostname after dns nss-resolve also looks in /etc/hosts, and has the same local hostname resolving logic as nss-myhostname. We shouldn't recommend another order than nss-resolve uses internally. When nss-resolve is used, there's no possibility to override nss-myhostname hosts via DNS *anyway*. On top of that, it's not a good idea to allow DNS to override local hostnames as all - at least not something we should advertise in the docs. Followup of f918c67d38ba6ccd4eb0dc657f3f3155e5010cae / https://github.com/systemd/systemd/pull/16754. --- man/nss-myhostname.xml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml index 98eb0ec77e..4a33149a73 100644 --- a/man/nss-myhostname.xml +++ b/man/nss-myhostname.xml @@ -73,13 +73,12 @@ To activate the NSS modules, add myhostname to the line starting with hosts: in /etc/nsswitch.conf. - It is recommended to place myhostname either between resolve - and "traditional" modules like dns, or after them. In the first version, well-known - names like localhost and the machine hostname are given higher priority than the - external configuration. This is recommended when the external DNS servers and network are not absolutely - trusted. In the second version, external configuration is given higher priority and - nss-myhostname only provides a fallback mechanism. This might be suitable in closely - controlled networks, for example on a company LAN. + It is recommended to place myhostname after file and before dns. + This resolves well-known hostnames like localhost + and the machine hostnames locally. It is consistent with the behaviour + of nss-resolve, and still allows overriding via + /etc/hosts. + @@ -95,10 +94,7 @@ shadow: compat systemd gshadow: files systemd -# Either (untrusted network, see above): hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns -# Or (only trusted networks): -hosts: mymachines resolve [!UNAVAIL=return] files dns myhostname networks: files protocols: db files From 946f7ce32cef44d9bfcf2dc594bb193341434f57 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 17 Jul 2021 19:49:42 +0200 Subject: [PATCH 2/2] man: document nss-{resolve,myhostname} resolving in the other direction, too --- man/nss-myhostname.xml | 7 ++++++- man/nss-resolve.xml | 6 ++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml index 4a33149a73..f9d0ff43f4 100644 --- a/man/nss-myhostname.xml +++ b/man/nss-myhostname.xml @@ -77,7 +77,12 @@ This resolves well-known hostnames like localhost and the machine hostnames locally. It is consistent with the behaviour of nss-resolve, and still allows overriding via - /etc/hosts. + /etc/hosts. + + Please keep in mind that nss-myhostname (and nss-resolve) also resolve + in the other direction — from locally attached IP adresses to + hostnames. If you rely on that lookup being provided by DNS, you might + want to order things differently. diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml index 97c3768100..4f9e1f9c5a 100644 --- a/man/nss-resolve.xml +++ b/man/nss-resolve.xml @@ -52,6 +52,12 @@ it is still recommended (see examples below) to keep nss-myhostname configured in /etc/nsswitch.conf, to keep those names resolveable if systemd-resolved is not running. + + Please keep in mind that nss-myhostname (and nss-resolve) also resolve + in the other direction — from locally attached IP adresses to + hostnames. If you rely on that lookup being provided by DNS, you might + want to order things differently. +