Comment 11 for bug 1978351

This is not a matter of cache poisoning. This is a 3rd-party owned domain suffix being applied to every name resolution on the system. Users using the default installed tools or deploying complex workloads will encounter this. When running Kubernetes on these nodes, for example, pods will inherit this behavior from the system through kube-dns.

Users' applications, package management, containers, and customer workloads request google.com, they get google.com.domains.

$ host google.com
google.com has address 142.251.40.174
google.com has IPv6 address 2607:f8b0:4006:823::200e
google.com mail is handled by 10 smtp.google.com.

$ host google.com.domains
google.com.domains has address 18.164.96.15
google.com.domains has address 18.164.96.65
google.com.domains has address 18.164.96.63
google.com.domains has address 18.164.96.112

This extends well beyond google. Every hostname "foo.com" that is registered on "com.domains" will be resolved to that com.domains domain. Likewise for any TLD.

$ host ubuntu.com.domains
ubuntu.com.domains has address 18.164.96.15
ubuntu.com.domains has address 18.164.96.112
ubuntu.com.domains has address 18.164.96.65
ubuntu.com.domains has address 18.164.96.63

$ host ubuntu.com
ubuntu.com has address 185.125.190.21
ubuntu.com has address 185.125.190.20
ubuntu.com has address 185.125.190.29
ubuntu.com has IPv6 address 2620:2d:4000:1::28
ubuntu.com has IPv6 address 2620:2d:4000:1::27
ubuntu.com has IPv6 address 2620:2d:4000:1::26
ubuntu.com mail is handled by 10 mx.ubuntu.com.

$ host archive.us.ubuntu.com.domains | tail -n1
archive.us.ubuntu.com.domains has address 18.164.96.15

$ host archive.ubuntu.com.domains | tail -n1
archive.ubuntu.com.domains has address 18.164.96.15

DNSSEC is not part of the configuration on Ubuntu's default package management tools (debian, python, perl). Nor are curl, wget, or most of the preinstalled system tools that traverse the internet protected by DNSSEC.