| 2022-07-12 10:46:10 |
Jan-Otto Kröpke |
bug |
|
|
added bug |
| 2022-07-12 10:46:26 |
Jan-Otto Kröpke |
description |
Hi,
I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4.
2 days ago, I enabled DNSSEC=true through:
# grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf
DNSSEC=yes
After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.
Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution...
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors:
Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'.
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server
Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.
Running a manual query also fails here, for example:
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
Running 'resolvectl reset-server-features' helps here and can be considered as workaround.
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
# resolvectl reset-server-features
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: 35.155.126.231 -- link: eth0
-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490.
A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04.
But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250.
I would like to know if it's possible to backport this fix into Ubuntu 22.04.
Thanks.
https://github.com/systemd/systemd/pull/20214 |
Hi,
I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4.
2 days ago, I enabled DNSSEC=true through:
# grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf
DNSSEC=yes
After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.
Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution...
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors:
Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de
Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'.
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature
Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server
Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server
Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.
Running a manual query also fails here, for example:
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
Running 'resolvectl reset-server-features' helps here and can be considered as workaround.
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
# resolvectl reset-server-features
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: 35.155.126.231 -- link: eth0
-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490.
A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04.
But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250.
I would like to know if it's possible to backport this fix into Ubuntu 22.04.
Thanks. |
|
| 2022-07-13 20:49:03 |
Nick Rosbrook |
tags |
systemd-resolved |
rls-jj-incoming systemd-resolved |
|
| 2022-07-14 15:28:06 |
Lukas Märdian |
tags |
rls-jj-incoming systemd-resolved |
fr-2550 rls-jj-incoming systemd-resolved |
|
| 2022-07-14 15:28:39 |
Lukas Märdian |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-07-14 15:28:39 |
Lukas Märdian |
bug task added |
|
systemd (Ubuntu Jammy) |
|
| 2022-07-14 15:28:44 |
Lukas Märdian |
systemd (Ubuntu): status |
New |
Fix Released |
|
| 2022-07-14 15:31:33 |
Lukas Märdian |
tags |
fr-2550 rls-jj-incoming systemd-resolved |
fr-2550 systemd-resolved |
|
| 2022-07-20 20:00:14 |
Nick Rosbrook |
systemd (Ubuntu Jammy): status |
New |
Incomplete |
|
| 2022-07-21 22:58:45 |
Jan-Otto Kröpke |
attachment added |
|
systemd-resolved.log.gz https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1981431/+attachment/5604656/+files/systemd-resolved.log.gz |
|
| 2022-07-22 18:14:08 |
Jan-Otto Kröpke |
attachment added |
|
systemd-resolved.txt https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1981431/+attachment/5604817/+files/systemd-resolved.txt |
|
| 2022-08-02 14:07:46 |
Moritz Bunkus |
bug |
|
|
added subscriber Moritz Bunkus |
| 2022-08-29 19:31:33 |
Nick Rosbrook |
bug watch added |
|
https://github.com/systemd/systemd/issues/24098 |
|
| 2022-10-06 13:48:00 |
Nick Rosbrook |
bug |
|
|
added subscriber Ubuntu Foundations Bugs |
