Comment 20 for bug 1868955
Revision history for this message
| Nick Tait (nick.t) wrote Re: after upgrade to 20.04: posttls cannot connect to private/tlsmgr | #20 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Sorry for the delay in providing an update...
My theory about the systemd-resolved DNSSEC option proved incorrect.
So taking a step back, here is what I know about the problem that I am observing (i.e. specific to my test set-up):
* posttls-finger makes three DNS queries: The first query is for an MX record (which returns NODATA), then an A record (which returns a valid IP address), and finally a AAAA record (which returns NODATA).
* None of these include the AD flag in the request (question) - which is different from the behaviour seen when using 'dig' - but as it turns out, you don't need to include AD in the request to get AD in the reply. So this wasn't the problem.
* All three queries include the DO flag (to request RRSIG records).
* Using Wireshark I can see that the DNS response coming back to the 3 queries includes the AD flag (and the DO flag, and also RRSIG/NSEC3 records as appropriate).
* However in spite of this, the DNS results returned from the C functions indicate AD=0 - i.e. they are saying that AD flag isn't present in the response, even though (from the Wireshark trace) it clearly is.
* Based on this, my hypothesis is that the issue is with the C functions (libresolv).
So my plan now is to write a C program to test this theory, which will make a DNS query and then check the AD flag. If my theory is correct then running the same program on Ubuntu 20.04 and an older distribution should give different results.
Nick.