[Bug 1682499] Re: disable dnssec

Jacek Misiurewicz 1682499 at bugs.launchpad.net
Fri Jun 2 07:40:39 UTC 2017 

This helped me only partially - I still have issues with DNS lookup.

It seems that the systemd-resolved is broken from the very idea.

After solving DNSSEC problem, I see now a switching problem - if one DNS
does not respond, resolved switches to another one, which may be a local
DNS not serving all the information, however it responds RELIABLY with
.... "REFUSED" for majority of queries! Thus, resolved is stuck with
this "reliable" DNS, refusing almost all queries until reboot (or
networking reload).

There are so many bugs filled about resolved that somebody should gather
them in one place and do something.

Moreover, tracing problems is not easy - they are intermittent,
depending on current server load. For some people in fixed setup bug may
be nonexistent; when travelling across well-configured, simple and non-
overloaded networks everything is OK. Then, at some hour, some
connection - I start having to reload network every time I start reading
mail.....

For now many people are switching to alternative resolver - e.g.
"unbound"; what is going on with resolved looks like sabotage.....

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1682499

Title:
  disable dnssec

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Zesty:
  Fix Released

Bug description:
  [Impact]

   * dnssec functionality in systemd-resolved prevents network access in
  certain intra and extra net cases, due to failure to correctly
  validate dnssec entries. As a work-around we should disable dnssec by
  default.

  [Test Case]

   * Validate systemd-resolved is compiled with --with-default-dnssec=no
   * Validate that systemd-resolve --status says that DNSSEC setting is no

  $ systemd-resolve --status

  good output:
  ...
    DNSSEC setting: no
  DNSSEC supported: no
  ...

  bad output:
  ...
    DNSSEC setting: allow-downgrade
  DNSSEC supported: yes
  ...

  [Regression Potential]

   * People who expect DNSSEC to be available by default will need to
  re-enable it by modifying systemd-resolve configuration file

  [Other Info]

   * See duplicate bugs and other bug reports in systemd for scenarios
  of DNS resolution failures when DNSSEC is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1682499/+subscriptions

More information about the foundations-bugs mailing list