After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.
Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution...
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors:
Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'.
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server
Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.
Running a manual query also fails here, for example:
-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
Hi,
I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4.
2 days ago, I enabled DNSSEC=true through:
# grep DNSSEC /etc/systemd/ resolved. conf.d/ dnssec. conf
DNSSEC=yes
After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.
Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution... resolved[ 77507]: Positive Trust Anchors: resolved[ 77507]: . IN DS 20326 8 2 e06d44b80b8f1d3 9a95c0b0d7c65d0 8458e880409bbc6 83457104237c7f8 ec8d resolved[ 77507]: Negative trust anchors: int.creativesan dbox.de resolved[ 77507]: Using system hostname 'htdocs'. resolved[ 77507]: DNSSEC validation failed for question 214.162. in-addr. arpa IN SOA: no-signature resolved[ 77507]: DNSSEC validation failed for question 76.214. 162.in- addr.arpa IN DS: no-signature resolved[ 77507]: DNSSEC validation failed for question 126.76. 214.162. in-addr. arpa IN DS: no-signature resolved[ 77507]: DNSSEC validation failed for question 126.76. 214.162. in-addr. arpa IN SOA: no-signature resolved[ 77507]: DNSSEC validation failed for question . IN SOA: incompatible-server resolved[ 77507]: DNSSEC validation failed for question de IN DS: incompatible-server resolved[ 77507]: DNSSEC validation failed for question de IN SOA: incompatible-server resolved[ 77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server resolved[ 77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server resolved[ 77507]: DNSSEC validation failed for question clients. your-server. de IN DS: incompatible-server resolved[ 77507]: DNSSEC validation failed for question 201.138. clients. your-server. de IN DS: incompatible-server resolved[ 77507]: DNSSEC validation failed for question static. 237.11. 201.138. clients. your-server. de IN AAAA: incompatible-server
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.
Running a manual query also fails here, for example:
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
Running 'resolvectl reset-server- features' helps here and can be considered as workaround.
# resolvectl query noc3.wordfence.com features
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
# resolvectl reset-server-
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: 35.155.126.231 -- link: eth0
-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
By reading issues upstream looks like https:/ /github. com/systemd/ systemd/ issues/ 6490.
A fix is implemented (https:/ /github. com/systemd/ systemd/ pull/18624) and released in 248 which is included in Ubuntu 22.04.
But there is another fix around this issue (https:/ /github. com/systemd/ systemd/ pull/20214) which is released in systemd 250.
I would like to know if it's possible to backport this fix into Ubuntu 22.04.
Thanks.
https:/ /github. com/systemd/ systemd/ pull/20214