systemd-resolved DNSSEC root trust anchor outdated ?
Marc Deslauriers
marc.deslauriers at canonical.com
Sat Jan 12 14:36:42 UTC 2019
On 2019-01-11 11:01 p.m., J Doe wrote:
> Hello,
>
> I currently run a server using Ubuntu 18.04.1 LTS with patches current to today (Jan 11, 2019). I configured systemd-resolved to use DNSSEC validation by editing: /etc/systemd/resolved.conf and setting: DNSSEC=yes.
>
> When I check my syslog, I note that systemd-resolved is logging that the positive trust anchor for the root has been revoked:
>
> Jan 11 17:59:48 server systemd-resolved[728]: DNSSEC Trust anchor . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 has been revoked. Please update the trust anchor, or upgrade your operating system.
>
> I checked: man dnssec-trust-anchors.d and read:
>
> "Note that systemd-resolved will automatically use a built-in trust anchor key for the Internet root domain if no positive trust anchors are defined for the root domain.”
>
> I verified that: /etc/dnssec-trust-anchors.d/*.positive, /run/dnssec-trust-anchors.d/*.positive, /usr/lib/dnssec-trust-anchors.d/*.positive do *NOT* exist, which means that only the compiled in root trust anchor key is being used and that systemd-resolved has found that it has been revoked.
>
> Does this require a new root trust anchor to be compiled in and then shipped in a systemd update or should I manually acquire the root trust anchor and place it in one of the directories mentioned in: man dnssec-trust-anchors.d ?
>
> For the meantime, I have disabled DNSSEC validation in: /etc/systemd/resolved.conf
>
> Thanks,
>
> - J
>
It looks like resolved in 18.04 does in fact contain both the old and new trusty
anchors hardcoded in resolved-dns-trusty-anchor.c. A quick look at the file
suggests the expired one then gets removed from the list and the warning is issued.
Do you only get the warning once?
Marc.
More information about the ubuntu-server
mailing list