debcrafters-packages team mailing list archive

Thread
Date

[Bug 2121483] [NEW] DNS completely broken on Ubuntu Questing

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Aaron Rainbolt <2121483@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Aug 2025 23:12:18 -0000
Reply-to: Bug 2121483 <2121483@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

The bug itself:

OS: Ubuntu 25.10 development release (both the latest Lubuntu daily
image and a "manually built" installation I use for building packages
are affected)

Hardware: KVM virtual machine in virt-manager

Steps to reproduce:

* Boot the VM
* Ensure systemd-resolved is running: `systemctl status systemd-resolved`
* Try to ping Google: `ping google.com`

Expected result: Packages can be sent and received
Actual result: Ping errors out with "temporary failure in name resolution"

Looking at `sudo journalctl -fu systemd-resolved.service`, DNSSEC "no-
signature" errors are seen trying to resolve basically everything.

Uninstalling the package `systemd-resolved-dnssec` and restarting
systemd-resolved resolves the issue.

-----

What to do about the bug:

Technically, everything is working as intended here. DNSSEC was enabled
in "allow-downgrade" mode by default by
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2117730, with the
understanding that this *would* break DNS resolution for some users, and
that those users would have to remove `systemd-resolved-dnssec` and
restart `systemd-resolved` to get their network to work.

However, because systemd-resolved-dnssec has been made a "Recommends" of
systemd-resolved and not a "Suggests", it is being installed by default
on built ISOs, which is highly problematic for probably all of the
flavors and perhaps even Ubuntu Desktop itself. This means that, using
the latest Lubuntu daily image, I have no Internet at all, and the only
reason I was able to figure out why was because I have some network
troubleshooting experience (which many users won't have). The user is
given *zero* indication that there could be network issues due to
DNSSEC, or how to resolve those issues, or anything. The user is just
left with broken Internet, they don't know why, and depending on what
devices they have available to them they might not even be able to
figure out how to disable DNSSEC because they don't have Internet to
look it up.

I would suggest that systemd-resolved-dnssec be demoted to a "Suggests"
of systemd-resolved. This way flavors that are interested in enabling it
by default and are ready to help the user overcome networking hurdles
they may encounter can explicitly seed it, while flavors that don't want
to trouble their users with that can simply leave it off their images.
Alternatively, some way of blacklisting packages from ISOs that actually
works could be used to avoid the need for a demotion, but as many of us
know, germinate's blacklisting functionality can't be used for this (it
does not do what most of us probably would guess it does).

I'm definitely open to other options here (it would be awesome if
systemd-resolved could fall back to some trusted DNS server like one of
the root servers if the "local" DNS server provided by an access point
didn't work), but I really do not want to have to just release note this
and hope users see it. We could introduce a "Turn of DNSSEC" or similar
button in Lubuntu's application menu if all else failed, but that would
be a very, very hacky solution.

** Affects: systemd (Ubuntu)
     Importance: Critical
         Status: New

** Changed in: systemd (Ubuntu)
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2121483

Title:
  DNS completely broken on Ubuntu Questing

Status in systemd package in Ubuntu:
  New

Bug description:
  The bug itself:

  OS: Ubuntu 25.10 development release (both the latest Lubuntu daily
  image and a "manually built" installation I use for building packages
  are affected)

  Hardware: KVM virtual machine in virt-manager

  Steps to reproduce:

  * Boot the VM
  * Ensure systemd-resolved is running: `systemctl status systemd-resolved`
  * Try to ping Google: `ping google.com`

  Expected result: Packages can be sent and received
  Actual result: Ping errors out with "temporary failure in name resolution"

  Looking at `sudo journalctl -fu systemd-resolved.service`, DNSSEC "no-
  signature" errors are seen trying to resolve basically everything.

  Uninstalling the package `systemd-resolved-dnssec` and restarting
  systemd-resolved resolves the issue.

  -----

  What to do about the bug:

  Technically, everything is working as intended here. DNSSEC was
  enabled in "allow-downgrade" mode by default by
  https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2117730, with
  the understanding that this *would* break DNS resolution for some
  users, and that those users would have to remove `systemd-resolved-
  dnssec` and restart `systemd-resolved` to get their network to work.

  However, because systemd-resolved-dnssec has been made a "Recommends"
  of systemd-resolved and not a "Suggests", it is being installed by
  default on built ISOs, which is highly problematic for probably all of
  the flavors and perhaps even Ubuntu Desktop itself. This means that,
  using the latest Lubuntu daily image, I have no Internet at all, and
  the only reason I was able to figure out why was because I have some
  network troubleshooting experience (which many users won't have). The
  user is given *zero* indication that there could be network issues due
  to DNSSEC, or how to resolve those issues, or anything. The user is
  just left with broken Internet, they don't know why, and depending on
  what devices they have available to them they might not even be able
  to figure out how to disable DNSSEC because they don't have Internet
  to look it up.

  I would suggest that systemd-resolved-dnssec be demoted to a
  "Suggests" of systemd-resolved. This way flavors that are interested
  in enabling it by default and are ready to help the user overcome
  networking hurdles they may encounter can explicitly seed it, while
  flavors that don't want to trouble their users with that can simply
  leave it off their images. Alternatively, some way of blacklisting
  packages from ISOs that actually works could be used to avoid the need
  for a demotion, but as many of us know, germinate's blacklisting
  functionality can't be used for this (it does not do what most of us
  probably would guess it does).

  I'm definitely open to other options here (it would be awesome if
  systemd-resolved could fall back to some trusted DNS server like one
  of the root servers if the "local" DNS server provided by an access
  point didn't work), but I really do not want to have to just release
  note this and hope users see it. We could introduce a "Turn of DNSSEC"
  or similar button in Lubuntu's application menu if all else failed,
  but that would be a very, very hacky solution.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2121483/+subscriptions

Follow ups

[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Nick Rosbrook, 2025-08-27
[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Launchpad Bug Tracker, 2025-08-27
[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Lukas Märdian, 2025-08-27
[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Lukas Märdian, 2025-08-27
[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Nick Rosbrook, 2025-08-27
[Bug 2121483] Re: DNS completely broken on Ubuntu Questing
From: Aaron Rainbolt, 2025-08-26