[Bug 1952784] [NEW] systemd-resolved cannot do dns over tls with server using self signed certificates

Sergio Callegari 1952784 at bugs.launchpad.net
Tue Nov 30 17:21:03 UTC 2021 

Public bug reported:

While testing functionalities of knot resolver, I am experiencing issues
in how systemd-resolved interacts with it. I have the caching and
forwarding knot resolver running on a debian machine and systemd-
resolved running on an ubuntu focal machine.

It looks like systemd-resolved cannot communicate with kresd, when told
to do so using dns over tls. I think that this is because kresd by
default uses a self signed certificate for TLS and systemd-resolved does
not like it. In fact, if I set dnsovertls on resolved and enable debug
logging, I see in the journal entries like:

Failed to invoke gnutls_handshake: Error in the certificate
verification.

and the name resolution fails:

resolvectl query lwn.net
lwn.net: resolve call failed: All attempts to contact name servers or networks failed

On the other hand if I set dnsovertls to opportunistic, things seem to
work, but the log reports that systemd-resolved is "Using degraded
feature set UDP for DNS server".

It is my understanding that systemd-resolved should accept self-signed
certificates and should do certificate validation only if a special
syntax is used for for specifying the DNS server to also include a
hostname for the DNS server (see
https://wiki.archlinux.org/title/Systemd-resolved#DNS_over_TLS). In
fact, the documentation of systemd-resolved seems to be a bit thin on
the matter, particularly because I understand that behaviors are
changing across different systemd-resolved versions.

In any case, being able to make systemd-resolved work with DoT with
servers using self signed certificages would be very useful for testing
and learning.

Unfortunately, trying a more recent version of systemd-resolved is not
really easy without firing up a virtual machine because it is impossible
to update systemd-resolved independently of all the init system, with
some obvious risk of breaking a system.

** Affects: systemd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1952784

Title:
  systemd-resolved cannot do dns over tls with server using self signed
  certificates

Status in systemd package in Ubuntu:
  New

Bug description:
  While testing functionalities of knot resolver, I am experiencing
  issues in how systemd-resolved interacts with it. I have the caching
  and forwarding knot resolver running on a debian machine and systemd-
  resolved running on an ubuntu focal machine.

  It looks like systemd-resolved cannot communicate with kresd, when
  told to do so using dns over tls. I think that this is because kresd
  by default uses a self signed certificate for TLS and systemd-resolved
  does not like it. In fact, if I set dnsovertls on resolved and enable
  debug logging, I see in the journal entries like:

  Failed to invoke gnutls_handshake: Error in the certificate
  verification.

  and the name resolution fails:

  resolvectl query lwn.net
  lwn.net: resolve call failed: All attempts to contact name servers or networks failed

  On the other hand if I set dnsovertls to opportunistic, things seem to
  work, but the log reports that systemd-resolved is "Using degraded
  feature set UDP for DNS server".

  It is my understanding that systemd-resolved should accept self-signed
  certificates and should do certificate validation only if a special
  syntax is used for for specifying the DNS server to also include a
  hostname for the DNS server (see
  https://wiki.archlinux.org/title/Systemd-resolved#DNS_over_TLS). In
  fact, the documentation of systemd-resolved seems to be a bit thin on
  the matter, particularly because I understand that behaviors are
  changing across different systemd-resolved versions.

  In any case, being able to make systemd-resolved work with DoT with
  servers using self signed certificages would be very useful for
  testing and learning.

  Unfortunately, trying a more recent version of systemd-resolved is not
  really easy without firing up a virtual machine because it is
  impossible to update systemd-resolved independently of all the init
  system, with some obvious risk of breaking a system.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1952784/+subscriptions

More information about the foundations-bugs mailing list