[Bug 1682499] Re: disable dnssec

allfox_wy 1682499 at bugs.launchpad.net
Tue May 2 15:55:12 UTC 2017 

Greetings, everyone.

I'm on Ubuntu GNOME 17.04

I see that DNSSEC is now off by default, however, in my log, I would see something like:
  4 May  2 23:29:31 lavender systemd-resolved[1129]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS     server 10.2.5.7.
  5 May  2 23:29:31 lavender systemd-resolved[1129]: Using degraded feature set (UDP) for DNS server 10.2.5.7.

And during that, it seems the systemd-resolved would act just like
DNSSEC enabled, and Web would fail some time like before.

I don't quite get what is going on. I have dnsmasq run in my network to
provide DNS cache, it's the 10.2.5.7 .  My upstream server do not
support DNSSEC, so the validation would fail certainly.

What I observed is during this feature set test, dnsmasq cache would
receive TCP connection from Ubuntu GNOME 17.04 . And take some time, the
test fail.

I know this feature test would fail, as I know the upstream server do
not support DNSSEC. I don't know what is EDNS0 or LARGE. But the problem
here is that even DNSSEC is now off by default, this feature set test
would still do the "DO" test, which stands for DNSSEC OK. It would
surely fail, and it can not be turned off via configuration, and it
would cut the Web for some time.

There is a patch for this:
https://github.com/systemd/systemd/issues/5352

Is it possible to cherry pick it please ?



** Bug watch added: github.com/systemd/systemd/issues #5352
   https://github.com/systemd/systemd/issues/5352

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1682499

Title:
  disable dnssec

Status in systemd package in Ubuntu:
  Fix Released
Status in systemd source package in Zesty:
  Fix Released

Bug description:
  [Impact]

   * dnssec functionality in systemd-resolved prevents network access in
  certain intra and extra net cases, due to failure to correctly
  validate dnssec entries. As a work-around we should disable dnssec by
  default.

  [Test Case]

   * Validate systemd-resolved is compiled with --with-default-dnssec=no
   * Validate that systemd-resolve --status says that DNSSEC setting is no

  $ systemd-resolve --status

  good output:
  ...
    DNSSEC setting: no
  DNSSEC supported: no
  ...

  bad output:
  ...
    DNSSEC setting: allow-downgrade
  DNSSEC supported: yes
  ...

  [Regression Potential]

   * People who expect DNSSEC to be available by default will need to
  re-enable it by modifying systemd-resolve configuration file

  [Other Info]

   * See duplicate bugs and other bug reports in systemd for scenarios
  of DNS resolution failures when DNSSEC is enabled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1682499/+subscriptions

More information about the foundations-bugs mailing list