[Bug 1628778] Re: systemd-resolved: after network reconnection, DNSSEC unsigned zones treated as bogus, stop resolving

Martin Pitt martin.pitt at ubuntu.com
Thu Oct 6 05:59:21 UTC 2016 

Bug 1588230 and bug 1624071 are fixed now. I'm fairly sure I understand
bug 1624317 (and it would be fixed in yakkety now), and bug 1449001 is
not actually a malfunction but just some disagreement about a builtin
fallback if no DNS servers are configured (and thus fairly irrelevant
really).

This bug is relevant, of course, thanks for the report. There are still
several known problems with DNSSEC, and thus the plan had been from the
start to enable it during the development series and disable it shortly
before the release (which has happened a few days ago). The point was to
learn about bugs in practice. So 16.10 ships with disabled DNSSEC, which
is no worse than the default "dns" nss plugin (i. e. libc itself).


** Bug watch added: github.com/systemd/systemd/issues #4175
   https://github.com/systemd/systemd/issues/4175

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/4175
   Importance: Unknown
       Status: Unknown

** Changed in: systemd (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1628778

Title:
  systemd-resolved: after network reconnection, DNSSEC unsigned zones
  treated as bogus, stop resolving

Status in systemd:
  Unknown
Status in systemd package in Ubuntu:
  New

Bug description:
  On the MIT network (which runs some ancient version of BIND 9),
  systemd-resolved stops resolving anything that isn’t DNSSEC-signed
  after I disconnect and reconnect the network. Signed zones continue to
  resolve.

  This happens with either DNSSEC=yes or the default DNSSEC=allow-
  downgrade.

  $ systemd-resolve github.com
  github.com: 192.30.253.113

  -- Information acquired via protocol DNS in 15.6ms.
  -- Data is authenticated: no
  $ # (disconnect and reconnect wifi)
  $ systemd-resolve github.com
  github.com: resolve call failed: DNSSEC validation failed: no-signature

  More debug information is available in my upstream report
  (https://github.com/systemd/systemd/issues/4175), which has gotten no
  response in the last week and a half.

  I’m refiling this here because I believe that this regression and
  others (bug 1588230, bug 1624071, bug 1624317, bug 1449001) indicate
  that systemd-resolved is not ready for production, and with final
  freeze just a week away, leaving systemd-resolved enabled for the
  yakkety release would be reckless.  [Edit: Oh, I see that conclusion
  was already reached yesterday.]

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1628778/+subscriptions

More information about the foundations-bugs mailing list