SYSTEM Cited by 1 source
systemd-resolved¶
systemd-resolved is the systemd project's system DNS resolver
daemon; on Linux distributions that enable it (most modern ones),
it is the local
stub resolver that receives
application DNS queries over D-Bus/Varlink or via its NSS module
nss-resolve, forwards them to upstream recursive resolvers, and
returns parsed responses.
Ordered-set response parsing¶
Unlike glibc's single-pass
getanswer_r, systemd-resolved
parses the entire answer section into an ordered set of
DnsAnswerItem records before doing any lookup work:
typedef struct DnsAnswerItem {
DnsResourceRecord *rr;
DnsAnswerFlags flags; // which section it came from
// ... metadata
} DnsAnswerItem;
typedef struct DnsAnswer {
unsigned n_ref;
OrderedSet *items;
} DnsAnswer;
When following a CNAME chain, it searches the full set for the next hop rather than walking linearly โ so the on-wire order of records inside the answer section does not affect correctness. This is the defensive implementation: it treats the answer section as a bag of records plus metadata, and reconstructs the chain from record content rather than record position.
Implication for 2026-01-08 1.1.1.1 incident¶
When systems/cloudflare-1-1-1-1-resolver|1.1.1.1 shipped the
record-reordering regression documented in
sources/2026-01-19-cloudflare-what-came-first-the-cname-or-the-a-record,
applications resolving via systemd-resolved (either through its
NSS module or its D-Bus/Varlink API) were unaffected, in
contrast to applications going through glibc's getaddrinfo, which
failed. The bag-of-records design absorbed the wire-format change
that the expected-name sequential parser did not.
Design lesson¶
systemd-resolved's approach illustrates the
long-tail compatibility dividend
of parsing into a richer data structure up-front: the parser
surface becomes robust to any legal (even if unusual) RFC 1034
ordering of records, and DNS specification clarifications at the
wire level don't require a parser change. The cost is a larger
in-memory object per response and a modest allocation overhead โ
trivial on a stub resolver with the working-set sizes typical of
modern Linux systems.
Seen in¶
- sources/2026-01-19-cloudflare-what-came-first-the-cname-or-the-a-record โ named as the contrast case: not affected by the 1.1.1.1 CNAME- reorder regression because of the ordered-set parse; used as the canonical wiki instance of a defensive DNS stub implementation.