[Bug 1952784] Re: systemd-resolved cannot do dns over tls with server using self signed certificates

Nick Rosbrook 1952784 at bugs.launchpad.net
Thu May 30 20:03:32 UTC 2024 

Thank you for taking the time to report this bug and helping to make
Ubuntu better. I suspect a support site would be more appropriate, e.g.
https://askubuntu.com, or for more options please look at
https://discourse.ubuntu.com/t/community-support/709.

** Changed in: systemd (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1952784

Title:
  systemd-resolved cannot do dns over tls with server using self signed
  certificates

Status in systemd package in Ubuntu:
  Invalid

Bug description:
  While testing functionalities of knot resolver, I am experiencing
  issues in how systemd-resolved interacts with it. I have the caching
  and forwarding knot resolver running on a debian machine and systemd-
  resolved running on an ubuntu focal machine.

  It looks like systemd-resolved cannot communicate with kresd, when
  told to do so using dns over tls. I think that this is because kresd
  by default uses a self signed certificate for TLS and systemd-resolved
  does not like it. In fact, if I set dnsovertls on resolved and enable
  debug logging, I see in the journal entries like:

  Failed to invoke gnutls_handshake: Error in the certificate
  verification.

  and the name resolution fails:

  resolvectl query lwn.net
  lwn.net: resolve call failed: All attempts to contact name servers or networks failed

  On the other hand if I set dnsovertls to opportunistic, things seem to
  work, but the log reports that systemd-resolved is "Using degraded
  feature set UDP for DNS server".

  It is my understanding that systemd-resolved should accept self-signed
  certificates and should do certificate validation only if a special
  syntax is used for for specifying the DNS server to also include a
  hostname for the DNS server (see
  https://wiki.archlinux.org/title/Systemd-resolved#DNS_over_TLS). In
  fact, the documentation of systemd-resolved seems to be a bit thin on
  the matter, particularly because I understand that behaviors are
  changing across different systemd-resolved versions.

  In any case, being able to make systemd-resolved work with DoT with
  servers using self signed certificages would be very useful for
  testing and learning.

  Unfortunately, trying a more recent version of systemd-resolved is not
  really easy without firing up a virtual machine because it is
  impossible to update systemd-resolved independently of all the init
  system, with some obvious risk of breaking a system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1952784/+subscriptions

More information about the foundations-bugs mailing list