debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #05034
[Bug 2119652] [NEW] systemd-resolved-dnssec breaks name resolution on lxd domain
Public bug reported:
By default, LXD containers will be configured with DNS pointing to the
server listening on lxdbr0 on the host. The DHCP leases additionally
configure the 'lxd' domain. LXD starts a dnsmasq server which is DNSSEC
compatible, but by default is not actually configured for DNSSEC. This
leads to DNSSEC validation errors as seen below:
root@q1:~# apt policy systemd-resolved-dnssec
systemd-resolved-dnssec:
Installed: 257.7-1ubuntu3
Candidate: 257.7-1ubuntu3
Version table:
*** 257.7-1ubuntu3 100
100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages
100 /var/lib/dpkg/status
root@q1:~# resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 47 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 10.148.181.1
DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1
DNS Domain: lxd
Default Route: yes
root@q1:~# ping q2.lxd
ping: q2.lxd: Temporary failure in name resolution
root@q1:~# nslookup q2
;; Got SERVFAIL reply from 127.0.0.53
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find q2.lxd: SERVFAIL
root@q1:~# resolvectl dnssec eth0 no
root@q1:~# nslookup q2
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: q2.lxd
Address: 10.148.181.44
Name: q2.lxd
Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c
root@q1:~# ping -c 1 q2.lxd
PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms
--- q2.lxd ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed"
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
*compatible*, the downgrade logic implied by DNSSEC=allow-downgrade does
not kick in.
** Affects: strongswan (Ubuntu)
Importance: Undecided
Status: New
** Affects: systemd (Ubuntu)
Importance: High
Status: Confirmed
** Tags: update-excuse
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2119652
Title:
systemd-resolved-dnssec breaks name resolution on lxd domain
Status in strongswan package in Ubuntu:
New
Status in systemd package in Ubuntu:
Confirmed
Bug description:
By default, LXD containers will be configured with DNS pointing to the
server listening on lxdbr0 on the host. The DHCP leases additionally
configure the 'lxd' domain. LXD starts a dnsmasq server which is
DNSSEC compatible, but by default is not actually configured for
DNSSEC. This leads to DNSSEC validation errors as seen below:
root@q1:~# apt policy systemd-resolved-dnssec
systemd-resolved-dnssec:
Installed: 257.7-1ubuntu3
Candidate: 257.7-1ubuntu3
Version table:
*** 257.7-1ubuntu3 100
100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages
100 /var/lib/dpkg/status
root@q1:~# resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 47 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 10.148.181.1
DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1
DNS Domain: lxd
Default Route: yes
root@q1:~# ping q2.lxd
ping: q2.lxd: Temporary failure in name resolution
root@q1:~# nslookup q2
;; Got SERVFAIL reply from 127.0.0.53
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find q2.lxd: SERVFAIL
root@q1:~# resolvectl dnssec eth0 no
root@q1:~# nslookup q2
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: q2.lxd
Address: 10.148.181.44
Name: q2.lxd
Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c
root@q1:~# ping -c 1 q2.lxd
PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms
--- q2.lxd ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed"
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
*compatible*, the downgrade logic implied by DNSSEC=allow-downgrade
does not kick in.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/2119652/+subscriptions
Follow ups