SOLVED: systemd-resolved returns SERVFAIL instead of NXDOMAIN DNSSEC

citecite · 2018-05-27 15:41:02

Hello world,

I'm trying to find out why systemd-resolved returns a SERVAIL for a given, DNSSEC secured name instead of NXDOMAIN:

# not working for systemd-resolved
$ dig mail.kvm.incertum.net @127.0.0.53 | grep status:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35694
# working with local unbound (or 8.8.8.8)
$ dig mail.kvm.incertum.net @127.0.0.1 | grep status:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61503

The reported error is:

Mai 27 17:32:48 ceres systemd-resolved[2589]: DNSSEC validation failed for question mail.kvm.incertum.net IN A: no-signature

The logs at debug level are available at https://stuff.incertum.net/systemd-resolved.txt.

Thanks,
Stefan

Any insights would be much appreciated. FWIW: The DNS servers are two bind 9.10.3 with auto-dnssec maintain. The overall DNSSEC setup seems to be OK, see: http://dnsviz.net/d/incertum.net/dnssec/.

Last edited by citecite (2018-05-29 17:46:03)

citecite · 2018-05-29 17:45:28

Switching from NSEC to NSEC3 seems to fix this.

Arch Linux

#1 2018-05-27 15:41:02

SOLVED: systemd-resolved returns SERVFAIL instead of NXDOMAIN DNSSEC

#2 2018-05-29 17:45:28

Re: SOLVED: systemd-resolved returns SERVFAIL instead of NXDOMAIN DNSSEC

Board footer