[Bug 1688757] [NEW] systemd-resolved would retry DNSSEC after some time.

allfox_wy 1688757 at bugs.launchpad.net
Sat May 6 16:40:55 UTC 2017 

Public bug reported:

Greetings everyone.

I know that recently systemd-resolved switched DNSSEC to off by default. However, there is a "feature set test" function in it. I could see these in my log:
 62 May  6 23:27:31 lavender systemd-resolved[1127]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS     server 10.2.5.7.
 63 May  6 23:27:31 lavender systemd-resolved[1127]: Using degraded feature set (UDP) for DNS server 10.2.5.7.

It looks like this "feature set test" would repeat after some time. And
during the test, it would test DNSSEC again regardless it turned off
explicitly, which is the so called "DO" test.

I could still sometimes get no DNS, and I caught these log once during
that. I can't be sure that this test is connected to my losing DNS, as I
only caught it once. I don't know how long the "grace period" is, so
can't schedule a trap to catch more.

This "DO" test can not be disabled via configuration.

There is an upstream patch to deal with it:
https://github.com/systemd/systemd/issues/5352

While I'm not sure if it does cause some problem, I'm thinking it might
be worth to cherry pick the patch.


Additional info about my system:
lsb_release -rd:
Description:	Ubuntu 17.04
Release:	17.04

It's Ubuntu GNOME.

Package: systemd
Version: 232-21ubuntu3

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: dns dnssec systemd-resolved

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1688757

Title:
  systemd-resolved would retry DNSSEC after some time.

Status in systemd package in Ubuntu:
  New

Bug description:
  Greetings everyone.

  I know that recently systemd-resolved switched DNSSEC to off by default. However, there is a "feature set test" function in it. I could see these in my log:
   62 May  6 23:27:31 lavender systemd-resolved[1127]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS     server 10.2.5.7.
   63 May  6 23:27:31 lavender systemd-resolved[1127]: Using degraded feature set (UDP) for DNS server 10.2.5.7.

  It looks like this "feature set test" would repeat after some time.
  And during the test, it would test DNSSEC again regardless it turned
  off explicitly, which is the so called "DO" test.

  I could still sometimes get no DNS, and I caught these log once during
  that. I can't be sure that this test is connected to my losing DNS, as
  I only caught it once. I don't know how long the "grace period" is, so
  can't schedule a trap to catch more.

  This "DO" test can not be disabled via configuration.

  There is an upstream patch to deal with it:
  https://github.com/systemd/systemd/issues/5352

  While I'm not sure if it does cause some problem, I'm thinking it
  might be worth to cherry pick the patch.

  
  Additional info about my system:
  lsb_release -rd:
  Description:	Ubuntu 17.04
  Release:	17.04

  It's Ubuntu GNOME.

  Package: systemd
  Version: 232-21ubuntu3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1688757/+subscriptions

More information about the foundations-bugs mailing list