Ubuntu
systemd package

Bug #1981431
Comment #0

Comment 0 for bug 1981431

Revision history for this message

Jan-Otto Kröpke (jokroepke) wrote on 2022-07-12:

Hi,

I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4.

2 days ago, I enabled DNSSEC=true through:

# grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf
DNSSEC=yes

After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.

Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution...
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors:
Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'.
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server

Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.

Running a manual query also fails here, for example:

# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server

Running 'resolvectl reset-server-features' helps here and can be considered as workaround.

# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
# resolvectl reset-server-features
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: 35.155.126.231 -- link: eth0

-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490.

A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04.

But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250.

I would like to know if it's possible to backport this fix into Ubuntu 22.04.

Thanks.

https://github.com/systemd/systemd/pull/20214

Hi,