[Bug 1857639] Re: DNS server capability detection is broken and has critical consequences when DNSSEC is enabled
Avamander
avamander at gmail.com
Thu Jan 16 22:09:24 UTC 2020
```
systemd[1]: Starting Network Name Resolution...
systemd-resolved[1392]: Positive Trust Anchors:
systemd-resolved[1392]: . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
systemd-resolved[1392]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
systemd-resolved[1392]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 2
systemd-resolved[1392]: Using system hostname 'machine'.
systemd[1]: Started Network Name Resolution.
systemd-resolved[1392]: DNSSEC validation failed for question 0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 4.0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question 4.0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question f.4.0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN DS: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question f.4.0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN SOA: no-signature
systemd-resolved[1392]: DNSSEC validation failed for question f.4.0.f.d.1.b.9.c.c.3.2.2.0.a.c.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa IN PTR: no-signature
systemd-resolved[1392]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 8.8.8.8.
systemd-resolved[1392]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 193.40.0.12.
systemd-resolved[1392]: DNSSEC validation failed for question vesta.web.telegram.org IN DS: failed-auxiliary
systemd-resolved[1392]: DNSSEC validation failed for question vesta.web.telegram.org IN SOA: failed-auxiliary
systemd-resolved[1392]: DNSSEC validation failed for question vesta.web.telegram.org IN A: failed-auxiliary
systemd-resolved[1392]: DNSSEC validation failed for question googlehosted.l.googleusercontent.com IN SOA: failed-auxiliary
systemd-resolved[1392]: DNSSEC validation failed for question googlehosted.l.googleusercontent.com IN A: failed-auxiliary
systemd-resolved[1392]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS server 193.40.0.12.
systemd-resolved[1392]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS server 8.8.8.8.
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question api-0.core.keybaseapi.com IN AAAA: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question play.google.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question play.google.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question scontent.xx.fbcdn.net IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
systemd-resolved[1392]: DNSSEC validation failed for question www.facebook.com IN A: incompatible-server
```
And then I had to restart the resolver because it made the computer
unusable again.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1857639
Title:
DNS server capability detection is broken and has critical
consequences when DNSSEC is enabled
Status in systemd package in Ubuntu:
Incomplete
Bug description:
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected
correctly and DNSSEC to keep working. Alternatively I'd expect a
method of disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops
resolving all together (fails closed, which is somewhat good).
Capability reset is a very temporary fix.
A suggested fix could be (ordered based on how nice of a solution it
is):
a. The capability detection is fixed
(https://github.com/systemd/systemd/issues/9384)
b. Force-disabling capability detection exists (this is what I also
requested here: https://github.com/systemd/systemd/issues/14435)
c. Patch Ubuntu version not to allow such a foot gun, update
documentation (this is theoretically what Ubuntu could do meanwhile)
d. Remove DNSSEC from resolved
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1857639/+subscriptions
More information about the foundations-bugs
mailing list