[Bug 1628778] Re: systemd-resolved: after network reconnection, DNSSEC unsigned zones treated as bogus, stop resolving

Anders Kaseorg andersk at mit.edu
Thu Sep 29 06:20:50 UTC 2016 

** Description changed:

  On the MIT network (which runs some ancient version of BIND 9), systemd-
  resolved stops resolving anything that isn’t DNSSEC-signed after I
  disconnect and reconnect the network. Signed zones continue to resolve.
  
  This happens with either DNSSEC=yes or the default DNSSEC=allow-
  downgrade.
  
  $ systemd-resolve github.com
  github.com: 192.30.253.113
  
  -- Information acquired via protocol DNS in 15.6ms.
  -- Data is authenticated: no
  $ # (disconnect and reconnect wifi)
  $ systemd-resolve github.com
  github.com: resolve call failed: DNSSEC validation failed: no-signature
  
  More debug information is available in my upstream report
  (https://github.com/systemd/systemd/issues/4175), which has gotten no
  response in the last week and a half.
  
  I’m refiling this here because I believe that this regression and others
  (bug 1588230, bug 1624071, bug 1624317, bug 1449001) indicate that
  systemd-resolved is not ready for production, and with final freeze just
  a week away, leaving systemd-resolved enabled for the yakkety release
- would be reckless.
+ would be reckless.  [Edit: Oh, I see that conclusion was already reached
+ yesterday.]

** Tags removed: regression-release

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1628778

Title:
  systemd-resolved: after network reconnection, DNSSEC unsigned zones
  treated as bogus, stop resolving

Status in systemd package in Ubuntu:
  New

Bug description:
  On the MIT network (which runs some ancient version of BIND 9),
  systemd-resolved stops resolving anything that isn’t DNSSEC-signed
  after I disconnect and reconnect the network. Signed zones continue to
  resolve.

  This happens with either DNSSEC=yes or the default DNSSEC=allow-
  downgrade.

  $ systemd-resolve github.com
  github.com: 192.30.253.113

  -- Information acquired via protocol DNS in 15.6ms.
  -- Data is authenticated: no
  $ # (disconnect and reconnect wifi)
  $ systemd-resolve github.com
  github.com: resolve call failed: DNSSEC validation failed: no-signature

  More debug information is available in my upstream report
  (https://github.com/systemd/systemd/issues/4175), which has gotten no
  response in the last week and a half.

  I’m refiling this here because I believe that this regression and
  others (bug 1588230, bug 1624071, bug 1624317, bug 1449001) indicate
  that systemd-resolved is not ready for production, and with final
  freeze just a week away, leaving systemd-resolved enabled for the
  yakkety release would be reckless.  [Edit: Oh, I see that conclusion
  was already reached yesterday.]

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1628778/+subscriptions

More information about the foundations-bugs mailing list