debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #06186
[Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain
FTR: here is a sd-resolved debug log of:
$ resolvectl log-level debug
$ resolvectl flush-caches
$ resolvectl query nn-abi.lxd # this is another LXD container, running on my host.
=> as we can see, it does not get a DS record (as expected, as the .lxd domain has no chain of trust):
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Found verdict for lookup lxd IN DS: bogus
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
"""
Aug 28 14:23:54 tender-fowl systemd-resolved[123]: Flushed all caches.
Aug 28 14:23:54 tender-fowl systemd-resolved[123]: Sent message type=method_return sender=n/a destination=:1.17 path=n/a interface=n/a member=n/a cookie=24 reply_cookie=2 signature=n/a error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message type=method_call sender=:1.18 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname cookie=2 reply_cookie=0 signature=isit error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: idn2_lookup_u8: nn-abi.lxd → nn-abi.lxd
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionCredentials cookie=25 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a interface=n/a member=n/a cookie=15 reply_cookie=25 signature=a{sv} error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: D-Bus hostname resolution request from client PID 633 (resolvectl) with UID 0
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Looking up RR for nn-abi.lxd IN A.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Looking up RR for nn-abi.lxd IN AAAA.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=26 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=27 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a interface=n/a member=n/a cookie=17 reply_cookie=27 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN A
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 64076 for <nn-abi.lxd IN A> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level UDP+EDNS0+DO for transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 for transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 64076 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN AAAA
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 38417 for <nn-abi.lxd IN AAAA> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level UDP+EDNS0+DO for transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 for transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 38417 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of size 55, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet of size 55 on transaction 64076 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS to validate transaction 64076 (nn-abi.lxd, unsigned non-SOA/NS RRset <nn-abi.lxd IN A 10.238.94.180>).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN DS
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 48002 for <nn-abi.lxd IN DS> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level UDP+EDNS0+DO for transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 for transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 48002 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of size 67, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet of size 67 on transaction 38417 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS to validate transaction 38417 (nn-abi.lxd, unsigned non-SOA/NS RRset <nn-abi.lxd IN AAAA fd42:7213:f20e:bd74:216:3eff:fe81:cd61>).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of size 39, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet of size 39 on transaction 48002 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS (→ lxd) to validate transaction 48002 (nn-abi.lxd empty response).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for lxd IN DS
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 32387 for <lxd IN DS> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level UDP+EDNS0+DO for transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 for transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 32387 of size 55.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of size 32, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet of size 32 on transaction 32387 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS (→ ) to validate transaction 32387 (lxd empty response).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Validating response from transaction 32387 (lxd IN DS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Found verdict for lookup lxd IN DS: bogus
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 32387 for <lxd IN DS> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed for question nn-abi.lxd IN DS: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 48002 for <nn-abi.lxd IN DS> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed for question nn-abi.lxd IN A: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 64076 for <nn-abi.lxd IN A> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed for question nn-abi.lxd IN AAAA: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 38417 for <nn-abi.lxd IN AAAA> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=error sender=n/a destination=:1.18 path=n/a interface=n/a member=n/a cookie=28 reply_cookie=2 signature=s error-name=org.freedesktop.resolve1.DnssecFailed error-message=DNSSEC validation failed: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=29 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a interface=n/a member=n/a cookie=16 reply_cookie=26 signature=n/a error-name=n/a error-message=n/a
"""
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2119652
Title:
systemd-resolved-dnssec breaks name resolution on lxd domain
Status in lxd:
Fix Released
Status in bind9 package in Ubuntu:
Invalid
Status in dnsmasq package in Ubuntu:
Triaged
Status in libvirt package in Ubuntu:
New
Status in livecd-rootfs package in Ubuntu:
New
Status in lxd package in Ubuntu:
New
Status in strongswan package in Ubuntu:
Fix Released
Status in systemd package in Ubuntu:
Confirmed
Bug description:
By default, LXD containers will be configured with DNS pointing to the
server listening on lxdbr0 on the host. The DHCP leases additionally
configure the 'lxd' domain. LXD starts a dnsmasq server which is
DNSSEC compatible, but by default is not actually configured for
DNSSEC. This leads to DNSSEC validation errors as seen below:
root@q1:~# apt policy systemd-resolved-dnssec
systemd-resolved-dnssec:
Installed: 257.7-1ubuntu3
Candidate: 257.7-1ubuntu3
Version table:
*** 257.7-1ubuntu3 100
100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages
100 /var/lib/dpkg/status
root@q1:~# resolvectl
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Link 47 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 10.148.181.1
DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1
DNS Domain: lxd
Default Route: yes
root@q1:~# ping q2.lxd
ping: q2.lxd: Temporary failure in name resolution
root@q1:~# nslookup q2
;; Got SERVFAIL reply from 127.0.0.53
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find q2.lxd: SERVFAIL
root@q1:~# resolvectl dnssec eth0 no
root@q1:~# nslookup q2
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: q2.lxd
Address: 10.148.181.44
Name: q2.lxd
Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c
root@q1:~# ping -c 1 q2.lxd
PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms
--- q2.lxd ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed"
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN DS: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature
Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q1.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature
Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN DS: no-signature
Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for question q2.lxd IN A: no-signature
Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
*compatible*, the downgrade logic implied by DNSSEC=allow-downgrade
does not kick in.
To manage notifications about this bug go to:
https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions
References
