DNS server capability detection is broken and has fatal consequences to resolving when DNSSEC is enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected correctly and DNSSEC to keep working. Alternatively I'd expect a method of disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops resolving all together (fails closed, which is somewhat good). Capability reset is a very temporary fix.
A suggested fix could be (ordered based on how nice of a solution it is):
a. The capability detection is fixed (https:/
b. Force-disabling capability detection exists (this is what I also requested here: https:/
c. Patch Ubuntu version not to allow such a foot gun, update documentation (this is theoretically what Ubuntu could do meanwhile)
d. Remove DNSSEC from resolved
description: | updated |
description: | updated |
Changed in systemd: | |
status: | Unknown → New |
Changed in systemd (Ubuntu): | |
status: | Incomplete → Confirmed |
summary: |
- DNS server capability detection is broken and has critical consequences - when DNSSEC is enabled + DNS server capability detection is broken and has fatal consequences to + resolving when DNSSEC is enabled |
Can you post logs from when the capability mis-detection happens? What indication do you have that is what's happening? How do you have DNSSEC configured?