debcrafters-packages team mailing list archive

Thread
Date

[Bug 2117730] Re: Enable (opportunistic) DNSSEC

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <2117730@xxxxxxxxxxxxxxxxxx>
Date: Fri, 22 Aug 2025 11:59:53 -0000
Reply-to: Bug 2117730 <2117730@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package systemd - 257.7-1ubuntu3

---------------
systemd (257.7-1ubuntu3) questing; urgency=medium

  * meson.build: build with -Wl,-z,gcs-report=none on arm64 (LP:
#2119100)

systemd (257.7-1ubuntu2) questing; urgency=medium

  [ Lukas Märdian ]
  * d/control,d/systemd-resolved-dnssec*: Add systemd-resolved-dnssec binary,
    shipping a drop-in config from d/extra/resolved.conf.d/ (LP: #2117730)
  * d/t/control: Add new 'dnssec' test case.
  * d/control: Add Recommends to systemd-resolved-dnssec

  [ Nick Rosbrook ]
  * test: ignore coredumps for gnusleep in addition to sleep (LP: #2116459)
  * test: follow /usr/bin/sleep symlink when checking coredumps (LP: #2116465)

 -- Nick Rosbrook <enr0n@xxxxxxxxxx>  Fri, 01 Aug 2025 11:55:27 -0400

** Changed in: systemd (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2117730

Title:
  Enable (opportunistic) DNSSEC

Status in bind9 package in Ubuntu:
  New
Status in dnsmasq package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Fix Released

Bug description:
  DNSSEC is an established DNS extension that allows to
  cryptographically sign & validate DNS records. It can be enabled in
  “auto” (fallback) mode, which does not enforce signed records, but
  uses them whenever possible. We should enable that “fallback” mode by
  default in Ubuntu and provide means to enforce DNSSEC, too.

  It is currently turned off by default in systemd-resolved (in Debian &
  Ubuntu), due to “compatibility issues with certain network access
  points”:

  * https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996

  While upstream systemd recommends the usage of `default-dnssec=allow-
  downgrade`.

  Some specific issues observed in the past:
  - bug #1628778
  - bug #1682499
  - bug #1690605
  - bug #1857639

  Due to issues like the ones mentioned above, we should provide an easy
  way to disable DNSSEC, therefore I think shipping drop-in configs for
  systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a
  Recommends "systemd-resolved-dnssec" package and (optionally) set
  "[Resolve] DNSSEC=yes" manually in a drop-in config in
  /etc/systemd/resolved.conf.d/10-dnssec.conf. No need to modify the
  "-Ddefault-dnssec==no" build flags. That way the "systemd-resolved-
  dnssec" package could be removed to downgrade to "DNSSEC=no" in case
  of issues:

  $ apt remove systemd-resolved-dnssec

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2117730/+subscriptions

References

[Bug 2117730] [NEW] Enable (opportunistic) DNSSEC
From: Lukas Märdian, 2025-07-23