Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work
On Sat, Apr 04, 2020 at 10:41:31AM +0300, Fanis Dokianakis wrote: > I confirm that this bug exists after upgrading systemd. Systemd-resolved > *sometimes* does not downgrade and SERVERFAILS on all domains that do not > have a signature dns record. That's not what "allow-downgrade" means. The downgrade happens when the configured DNS server does not support DNSSEC, not when some domain has an invalid signature. > The error with resolvectl query is > $ resolvectl query example.domain > example.domain: resolve call failed: DNSSEC validation failed: no-signature Please give an actual domain name that fails resolution. Not providing a reproducer just makes this harder for anyone trying to resolve this. Zbyszek
Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work
I confirm that this bug exists after upgrading systemd. Systemd-resolved *sometimes* does not downgrade and SERVERFAILS on all domains that do not have a signature dns record. The error with resolvectl query is $ resolvectl query example.domain example.domain: resolve call failed: DNSSEC validation failed: no-signature $ resolvectl reset-server-features or $ resolvectl flush-caches This is a problem that can only be corrected by passing dnssec=no to all interfaces (even ones with no dns server) or global in the configuration and restart the systemd-resolved Happens with both: systemd 245 (245.2-1) systemd 245 (245.4-1) My DNS resolver is a unmodified openwrt (dnsmasq) router which forwards to 1.1.1.1.
Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work
Control: severity -1 normal Control: tags -1 moreinfo Am 22.03.20 um 08:44 schrieb Nicola: > Package: systemd > Version: 244.3-1 > Severity: important > > Dear Maintainer, > > The default DNSSEC="allow-downgrade" doesn't work and the result is that DNS > queries doesn't work. > > Temporally fixed forcing DNSSEC="no" You probably need to describe your problem in more detail (and include debug log files etc) for this to be a useful and actionable bug report. "doesn't work" is not particularly helpful. signature.asc Description: OpenPGP digital signature