[Bug 1857639] Re: DNS server capability detection is broken and has critical consequences when DNSSEC is enabled

[Dan Streetman]

> Yes, DNSSEC is configured.

HOW do you have DNSSEC configured.  Not a yes/no question.

> Logs say this:

please include more than that; single lines don't help debug.  Attach
the entire syslog if you're unsure how much to paste in.

Also please paste/attach the output of:

$ systemd-resolve --status --no-pager

and

$ journalctl --no-pager -b -u systemd-resolved

I'm specifically looking for lines like this:
"Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001"

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1857639

Title:
  DNS server capability detection is broken and has critical
  consequences when DNSSEC is enabled

Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  I'm running Ubuntu 19.10

  I'm on latest version available from repositories, systemd 242

  I'm expecting upstream DNS server capabilities being detected
  correctly and DNSSEC to keep working. Alternatively I'd expect a
  method of disabling capability checks instead of DNSSEC.

  Currently instead resolved misdetect features suddenly, stops
  resolving all together (fails closed, which is somewhat good).
  Capability reset is a very temporary fix.

  A suggested fix could be (ordered based on how nice of a solution it
  is):

  a. The capability detection is fixed
  (https://github.com/systemd/systemd/issues/9384)

  b. Force-disabling capability detection exists (this is what I also
  requested here: https://github.com/systemd/systemd/issues/14435)

  c. Patch Ubuntu version not to allow such a foot gun, update
  documentation (this is theoretically what Ubuntu could do meanwhile)

  d. Remove DNSSEC from resolved

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1857639/+subscriptions