systemd-resolved stub gives SERVFAIL for DNSSEC negative response
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
New
|
Low
|
Unassigned |
Bug Description
This issue surfaced when researching the issue that Postfix on my system (with DANE enabled) deferred mail deliveries with 100s of this warning in the log:
Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25.
The DNS resolver on my machine was pointing at the systemd-resolved stub:
$ cat /etc/resolv.conf | grep nameserver
nameserver 127.0.0.53
$ resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=
resolv.conf mode: stub
Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I query the TLSA record for the messagelab server, I get a SERVFAIL from the stub resolver:
$ delv +dnssec _25._tcp.
;; resolution failed: SERVFAIL
Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC validated (negative) response:
$ delv @8.8.8.8 +dnssec _25._tcp.
;; resolution failed: ncache nxrrset
; negative response, fully validated
; _25._tcp.
; _25._tcp.
; _25._tcp.
; messagelabs.com. SOA ns-1714.
; messagelabs.com. RRSIG SOA ...
I assume Postfix (with smtp_tls_
My workaround was to switch from the systemd-resolved stub resolver to the upstream servers. In /etc/systemd/
DNS=... your upstream servers if not already given through DHCP ...
DNSStubList
Then restart the service and restart Postfix if it is chrooted (so the new /etc/resolv.conf gets copied into the chroot):
systemctl restart systemd-resolved
systemctl restart postfix
I am not sure if this could be considered a Postfix bug as well (it could consider a SERVFAIL on a TLSA record the same as a negative), but surely it seems to me the systemd-resolved stub resolver should not return the SERVFAIL here.
For more background on this bug report, please see https:/
Changed in systemd (Ubuntu): | |
status: | Incomplete → New |
What version of Ubuntu is this?