It was reported to bind-utils to move backward, check RHEL bug #1743572.

Thank you for the report and links. This behaviour is on purpose. We discussed this internally,
and the conclusion is that the implementation shouldn't be changed. I created a pull request
upstream to clarify the documentation and explicitly say that 'ndots' are not supported, see
https://github.com/systemd/systemd/pull/17415.

The situation in RHEL7 was somewhat different. I can understand that people were unhappy with
a change in behaviour in an already released product. On the other hand, resolved has always
behaved in this way (which matters for people who were using it before F33) and people who
only start using it in F33 are facing significant changes in behaviour and to some degree
expect things to behave differently, so it's good to change this (or keep changed if you will)
while we have their attention. Various implementors of DNS (Bind, Windows Vista) dropped or want
to drop support for the old behaviour, since it's broken in today's internet with plentiful TLDs,
and we should do this too.

If it turns out that it breaks some things in a way that cannot be fixed otherwise, we can
discuss an opt-in workaround similar to the ResolveUnicastSingleLabel= setting that was added to
help k8s folks. But let's try not to do that.

I'll close this as UPSTREAM since the only change that is being done is in docs, and any further
changes would better be discussed on the upstream mailing list.

If it is not possible to override current settings, then I think related systemd-resolved Change[1] should contain some information about change in system resolver behaviour. It was reported months ago to glibc, where I reported mismatch between original behaviour of glibc and bind-utils.

When I admit it is better practice to not search names including dots, I have evidence some people rely on that feature. They reported it on RHEL 7 also. systemd-resolved does not match old behaviour of glibc resolver.

Example:
search fedoraproject.org

requested name: src.stg

Before the change:
- src.stg. is tried first
- src.stg.fedoraproject.org. is tried second, if first does not exist

After the change:
- src.stg. is tried only
- src.stg.fedoraproject.org. is never tried. Full name must be used to reach it.


Namely:
- order of nameserver entries is not always kept. Instead, it acts like "options rotate" were used in resolv.conf. Users should be able to find something about it changed and first nameserver is not always first to query.
- search domains NEVER apply to names including dots. Because ndots is not supported, there is no workaround. Glibc resolver just switched the order, when dots >= ndots appeared in requested name. It changes searching algorithm and it is possible some expectations would break. Please link to this bug or create paragraph in Changes [1]. Especially openshift deployments may rely on this feature, they should have some information about it. This behaviour would change when systemd-resolved is running and when it is stopped.

While I was considering proposal of similar change, once glibc would support it, I am not against the change. But it is not a minimal change, deserves documentation of behaviour change. While we cannot avoid regressions now, we should at least document the current behaviour.

1. https://fedoraproject.org/wiki/Changes/systemd-resolved

Dropping the stale needinfo. If our input is still needed, please set the needinfo again.