LinuxCommandLibrary

key.dns_resolver

Configure DNS resolution using systemd-resolved

SYNOPSIS

keyctl add dns_resolver <description> '<payload>' [<dest_keyring>]

PARAMETERS

description
    Unique string name for the resolver key (e.g., mycompany.dns)

payload
    Multi-line text block defining nameservers, search domains, and options

dest_keyring
    Target keyring ID or name (default current session; e.g., @s, @p, @u:<uid>)

DESCRIPTION

The key.dns_resolver is a special kernel key type in Linux's key management facility, used to store DNS resolver configurations directly in the kernel keyring. This enables kernel subsystems, such as NFSv4 for hostname resolution in referrals, ID mapping, and other network filesystems, to perform DNS lookups independently of userspace resolvers like systemd-resolved or nscd.

It supports features like multiple nameservers with UDP/TCP protocols, search domains, and resolv.conf-like options (e.g., ndots, timeout, attempts). Keys are typically added via keyctl, often loaded automatically via /etc/request-key.conf upcalls. This avoids userspace dependencies, improving performance and security in containerized or embedded environments.

Once added, the key is referenced by its description string in kernel code. Permissions follow keyring ACLs, restricting access to authorized processes. Widely used in enterprise NFS setups requiring DNSSEC or custom resolvers.

CAVEATS

Payload format must exactly match kernel expectations or addition fails silently.
Requires kernel CONFIG_DNS_RESOLVER=y.
Keys auto-expire unless timeout set via keyctl timeout.
Not for userspace apps; kernel-only.

PAYLOAD FORMAT

Lines of:
- nameserver <IP> <UDP|TCP> (multiple OK)
- search <domain> (multiple OK)
- options <opt1> <opt2> (e.g., ndots:1 timeout:1 attempts:2)

EXAMPLE USAGE

keyctl add dns_resolver corp.dns 'nameserver 10.0.0.1 UDP nameserver 10.0.0.2 TCP search corp.com options ndots:2' @p
Verify: keyctl list @p | grep dns_resolver

HISTORY

Introduced in Linux kernel 2.6.32 (late 2009) by David Howells for kernel-internal DNS support in NFS. Enhanced in 3.x series with TCP support and more options. Keyutils 1.5+ fully supports management.

SEE ALSO

keyctl(1), add_key(3), request-key(8), keyrings(7), nfs(5)

Copied to clipboard