systemd-resolved DNSSEC root trust anchor outdated ?

[J Doe]

Hello,

I currently run a server using Ubuntu 18.04.1 LTS with patches current to today (Jan 11, 2019).  I configured systemd-resolved to use DNSSEC validation by editing: /etc/systemd/resolved.conf and setting: DNSSEC=yes.

When I check my syslog, I note that systemd-resolved is logging that the positive trust anchor for the root has been revoked:

Jan 11 17:59:48 server systemd-resolved[728]: DNSSEC Trust anchor . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 has been revoked. Please update the trust anchor, or upgrade your operating system.

I checked: man dnssec-trust-anchors.d and read:

"Note that systemd-resolved will automatically use a built-in trust anchor key for the Internet root domain if no positive trust anchors are defined for the root domain.”

I verified that: /etc/dnssec-trust-anchors.d/*.positive, /run/dnssec-trust-anchors.d/*.positive, /usr/lib/dnssec-trust-anchors.d/*.positive do *NOT* exist, which means that only the compiled in root trust anchor key is being used and that systemd-resolved has found that it has been revoked.

Does this require a new root trust anchor to be compiled in and then shipped in a systemd update or should I manually acquire the root trust anchor and place it in one of the directories mentioned in: man dnssec-trust-anchors.d ?

For the meantime, I have disabled DNSSEC validation in: /etc/systemd/resolved.conf

Thanks,

- J