← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #05571

[Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

  Thread PreviousDate PreviousThread Next 
I guess we should consider adding a custom drop-in config inside the strongswan host-to-host containers, disabling DNSSEC, e.g.:
"""
[Resolve]
DNSSEC=no
"""

This would unblock the systemd migration.

Longer term, we should consider improvements to the LXD dnsmasq
configuration. Either having it properly sign its authoritative domains
properly, using DNSSEC, or disabling DNSSEC completely, so make the
"allow-downgrade" fallback kick in.

** Also affects: lxd (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2119652

Title:
  systemd-resolved-dnssec breaks name resolution on lxd domain

Status in lxd package in Ubuntu:
  New
Status in strongswan package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  By default, LXD containers will be configured with DNS pointing to the
  server listening on lxdbr0 on the host. The DHCP leases additionally
  configure the 'lxd' domain. LXD starts a dnsmasq server which is
  DNSSEC compatible, but by default is not actually configured for
  DNSSEC. This leads to DNSSEC validation errors as seen below:

  root@q1:~# apt policy systemd-resolved-dnssec
  systemd-resolved-dnssec:
    Installed: 257.7-1ubuntu3
    Candidate: 257.7-1ubuntu3
    Version table:
   *** 257.7-1ubuntu3 100
          100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages
          100 /var/lib/dpkg/status
  root@q1:~# resolvectl 
  Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub

  Link 47 (eth0)
      Current Scopes: DNS
           Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
  Current DNS Server: 10.148.181.1
         DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1
          DNS Domain: lxd
       Default Route: yes
  root@q1:~# ping q2.lxd
  ping: q2.lxd: Temporary failure in name resolution
  root@q1:~# nslookup q2
  ;; Got SERVFAIL reply from 127.0.0.53
  Server:		127.0.0.53
  Address:	127.0.0.53#53

  ** server can't find q2.lxd: SERVFAIL

  root@q1:~# resolvectl dnssec eth0 no
  root@q1:~# nslookup q2
  Server:		127.0.0.53
  Address:	127.0.0.53#53

  Non-authoritative answer:
  Name:	q2.lxd
  Address: 10.148.181.44
  Name:	q2.lxd
  Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c

  root@q1:~# ping -c 1 q2.lxd
  PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
  64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms

  --- q2.lxd ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms

  root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed"
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature

  Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
  *compatible*, the downgrade logic implied by DNSSEC=allow-downgrade
  does not kick in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2119652/+subscriptions

References

  Thread PreviousDate PreviousThread Next