[knot-resolver-users] Running knot-resolver with only kresd-tls.socket

Message "moved" from [knot-dns-users] to [knot-resolver-users]: -------- Forwarded Message -------- Subject: [knot-dns-users] running knot-resolver with only kresd-tls.socket Date: Sat, 16 Mar 2019 13:36:50 -0000 (UTC) From: Daniel Lublin <daniel(a)lublin.se> To: knot-dns-users(a)lists.nic.cz Ahoj, I'm tinkering with running knot-resolver for DNS-over-TLS (only). My kresd@1 is listening on the public interface by using a drop-in override file, following kresd.systemd(7) (kresd-tls.socket.d/override.conf). Thing is, I would like knot to not listen on port 53 on any interface, not even localhost. But this is precisely what it does. I naively tried to stop it from doing so, first with a kresd.socket.d/override.conf with: [Socket] ListenStream= But that failed with journalctl -u kresd.socket containing `kresd.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.` And also by trying to disable that "socket-unit", with a kresd(a)1.service.d/override.conf containing: [Service] Sockets= Sockets=kresd-tls.socket Sockets=kresd-control(a)%i.socket But that did nothing. Finally, using `systemctl mask kresd.socket` I get it to stop listening on (localhost) port 53. But then instead systemd find itself in "degraded" mode... Any tip on how to accomplish this cleanly?