Ubuntu
systemd package

Bug #1957086
Comment #2

Comment 2 for bug 1957086

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-01-11:

Reproducing the case outside the systemd tests

(Commands on Ubuntu 22.04, with root permissions)
jammy-Proposed has dnsmasq 2.86 right now

apt update; apt upgrade -y; apt install dnsmasq-base

systemctl reset-failed systemd-networkd systemd-resolved

mkdir /run/systemd/resolved.conf.d
cat > /run/systemd/resolved.conf.d/test-enable-dnssec.conf << EOF
[Resolve]
DNSSEC=allow-downgrade
LLMNR=no
MulticastDNS=no
DNSOverTLS=no
EOF

ip link add name test_eth42 address de:ad:be:ef:47:11 type veth peer name router_eth42
ip a flush dev router_eth42
ip a add 192.168.5.1/24 dev router_eth42
ip link set router_eth42 up

dnsmasq --no-daemon --log-queries --log-facility=/tmp/dnsmasq.log --conf-file=/dev/null --dhcp-leasefile=/tmp/dnsmasq.leases --bind-interfaces --interface=router_eth42 --except-interface=lo --dhcp-range=192.168.5.10,192.168.5.200 --address=/#/192.168.42.1 &

cat > /run/systemd/network/general.network << EOF
[Match]
Name=test_eth42
[Network]
DHCP=ipv4
IPv6AcceptRA=False
DNSSECNegativeTrustAnchors=search.example.com
EOF

ip link add name testvpnclient type veth peer name testvpnrouter
ip a flush dev testvpnrouter
ip a add 10.241.3.1/24 dev testvpnrouter
ip link set testvpnrouter up

dnsmasq --no-daemon --log-queries --log-facility=/tmp/dnsmasq-vpn.log --conf-file=/dev/null --dhcp-leasefile=/dev/null --bind-interfaces --interface=testvpnrouter --except-interface=lo --address=/math.lab/10.241.3.3 --address=/cantina.company/10.241.4.4 &

cat > /run/systemd/network/vpn.network << EOF
[Match]
Name=testvpnclient
[Network]
IPv6AcceptRA=False
Address=10.241.3.2/24
DNS=10.241.3.1
Domains=~company ~lab
DNSSECNegativeTrustAnchors=company la
EOF

systemctl restart systemd-networkd
/usr/lib/systemd/systemd-networkd-wait-online --interface test_eth42 --interface=testvpnclient --timeout=20
systemctl restart systemd-resolved

# The original test runs "resolvectl query math.lab"
# That would probe everything, do this step by step

#1 ipv4 works and looks pretty much the same result on good/bad case
dig @10.241.3.1 -t A math.lab

root@j-dnsmasq-proposed:~# dig @10.241.3.1 -t A math.lab
dnsmasq: query[A] math.lab from 10.241.3.1
dnsmasq: config math.lab is 10.241.3.3

; <<>> DiG 9.16.15-Ubuntu <<>> @10.241.3.1 -t A math.lab
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11869
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;math.lab. IN A

;; ANSWER SECTION:
math.lab. 0 IN A 10.241.3.3

;; Query time: 0 msec
;; SERVER: 10.241.3.1#53(10.241.3.1)
;; WHEN: Tue Jan 11 13:09:07 UTC 2022
;; MSG SIZE rcvd: 53

#2 ipv6 fails and gets into a loop
dig @10.241.3.1 -t AAAA math.lab