← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #05842

[Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

  Thread PreviousDate PreviousThread Next 
> The "allow-downgrade" mechanism should detect such instances and
accept them without DNSSEC validation.

I don't think that's the intent of DNSSEC=allow-downgrade.

IIUC, dnsmasq, regardless of the presence of --dnssec, understands how
to respond to DNSSEC queries. When systemd-resolved asks for DNSSEC
validation of foo.lxd, dnsmasq says "I can't validate that" by sending
an empty response for the validation.

In particular, because the response from dnsmasq contains the DO flag,
and an empty RRSIG, systemd-resolved concludes "this server understands
DNSSEC, and the record is unsigned, therefore validation failed". At
least, that's my basic understanding of the systemd-resolved logic [1].

If, on the other hand, dnsmasq responded with some garbage that
indicated it doesn't even _understand_ DNSSEC, systemd-resolved would
invoke the allow-downgrade fallback, and accept the response without
validation.

[1] https://github.com/systemd/systemd/blob/v257.8/src/resolve/resolved-
dns-server.c#L699

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2119652

Title:
  systemd-resolved-dnssec breaks name resolution on lxd domain

Status in lxd:
  New
Status in dnsmasq package in Ubuntu:
  Triaged
Status in livecd-rootfs package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New
Status in strongswan package in Ubuntu:
  Fix Committed
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  By default, LXD containers will be configured with DNS pointing to the
  server listening on lxdbr0 on the host. The DHCP leases additionally
  configure the 'lxd' domain. LXD starts a dnsmasq server which is
  DNSSEC compatible, but by default is not actually configured for
  DNSSEC. This leads to DNSSEC validation errors as seen below:

  root@q1:~# apt policy systemd-resolved-dnssec
  systemd-resolved-dnssec:
    Installed: 257.7-1ubuntu3
    Candidate: 257.7-1ubuntu3
    Version table:
   *** 257.7-1ubuntu3 100
          100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages
          100 /var/lib/dpkg/status
  root@q1:~# resolvectl 
  Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub

  Link 47 (eth0)
      Current Scopes: DNS
           Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
  Current DNS Server: 10.148.181.1
         DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1
          DNS Domain: lxd
       Default Route: yes
  root@q1:~# ping q2.lxd
  ping: q2.lxd: Temporary failure in name resolution
  root@q1:~# nslookup q2
  ;; Got SERVFAIL reply from 127.0.0.53
  Server:		127.0.0.53
  Address:	127.0.0.53#53

  ** server can't find q2.lxd: SERVFAIL

  root@q1:~# resolvectl dnssec eth0 no
  root@q1:~# nslookup q2
  Server:		127.0.0.53
  Address:	127.0.0.53#53

  Non-authoritative answer:
  Name:	q2.lxd
  Address: 10.148.181.44
  Name:	q2.lxd
  Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c

  root@q1:~# ping -c 1 q2.lxd
  PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
  64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms

  --- q2.lxd ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms

  root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed"
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature

  Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
  *compatible*, the downgrade logic implied by DNSSEC=allow-downgrade
  does not kick in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions

References

  Thread PreviousDate PreviousThread Next