key.dns_resolver

Not a direct shell command.
The key.dns_resolver is a kernel key type accessed internally by system libraries (e.g., glibc via nss-dns_resolver module) and services (e.g., systemd-resolved) to perform and cache DNS resolution.

query_string
    The specific DNS query to resolve. This string typically includes the record type (e.g., A, AAAA, PTR, SRV) and the domain name or IP address to look up. For instance, 'A example.com' requests the IPv4 address for example.com, while 'PTR 1.2.3.4' requests the hostname for the IP address 1.2.3.4. The kernel's key.dns_resolver will process this string to perform the actual DNS lookup and store the result.

The key.dns_resolver refers to a specific key type within the Linux kernel's keyring service. It is not a standalone executable command but rather a fundamental mechanism used by system libraries and services, such as glibc's Name Service Switch (NSS) or systemd-resolved, to perform and cache DNS (Domain Name System) lookups.

When a program needs to resolve a hostname, it can request the kernel to perform the lookup using this key type. The kernel then acts as a resolver, performing the DNS query and storing the authoritative answer within a kernel key. Subsequent identical queries can be served directly from this kernel-level cache, significantly improving performance and reducing network traffic.

This kernel-level caching also enhances security and integrity by ensuring that DNS responses are handled and stored within a trusted kernel space. It provides a centralized, consistent, and highly performant way for various system components to interact with DNS.

The key.dns_resolver is a kernel-internal mechanism and not a user-executable command. Its functionality relies on proper kernel configuration and often requires specific integration with user-space components like the nss-dns_resolver module for glibc or the systemd-resolved service. Direct interaction is typically via tools like keyctl for managing kernel keys, rather than executing the resolver itself.

While it provides robust caching, care must be taken with cache invalidation and ensuring the freshness of DNS records, although the kernel attempts to respect DNS TTLs.

The key.dns_resolver key type integrates with user-space applications primarily through two main paths:

1. glibc NSS Module: The GNU C Library's Name Service Switch (NSS) can be configured (in /etc/nsswitch.conf) to use the 'dns_resolver' module. When a function like getaddrinfo(3) is called, if 'dns_resolver' is listed in the 'hosts' line, glibc will attempt to use the kernel's key type for resolution. This allows legacy applications to transparently benefit from kernel-level DNS caching.

2. systemd-resolved: The systemd-resolved service, a modern network name resolution manager, can be configured to utilize the key.dns_resolver. It acts as a central point for all DNS queries on the system, forwarding them to the kernel key type for resolution and caching. This provides a unified and robust DNS resolution service across the system.

In both cases, the kernel manages the actual DNS queries, stores the results in keys with appropriate Time-To-Live (TTL) values, and serves subsequent identical queries from the cache.

The concept of kernel keyrings in Linux has existed for a long time, providing a secure place for storing various kinds of data. The dns_resolver key type was introduced to leverage this existing infrastructure for efficient and secure DNS caching. Its development is tied to the evolution of kernel keyrings and efforts to improve system-wide DNS resolution performance and integrity, often in conjunction with projects like systemd to provide a comprehensive resolution service.

keyctl(1), nsswitch.conf(5), getaddrinfo(3), systemd-resolved(8)