[SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

Kabir · 2018-09-15 04:19:31

Hi,

I assume this started happening today just after I updated my system, as I started noticing webpages open very slowly.
Rebooted my router but that wasn't it. Over at the journal logs I saw:

Sep 15 09:15:25 aries dbus-daemon[528]: [session uid=1000 pid=528] Successfully activated service 'org.a1
Sep 15 09:15:25 aries systemd[492]: Started Accessibility services bus.
Sep 15 09:15:49 aries systemd-resolved[487]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 202
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question com IN DNSKEY: no-sign
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question com IN SOA: no-signatu
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question mozilla.com IN DS: no-
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question services.mozilla.com I
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question services.mozilla.com I
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question sync.services.mozilla.
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question sync-681-us-west-2.syn
Sep 15 09:16:06 aries systemd-resolved[487]: DNSSEC validation failed for question sync-681-us-west-2.syn
Sep 15 09:16:14 aries systemd-resolved[487]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 59.
Sep 15 09:16:14 aries systemd-timesyncd[410]: Synchronized to time server 14.139.56.74:123 (2.arch.pool.n
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question opera.com IN DS: no-signature
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question exchange.opera.com IN SOA: no-signature
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question exchange.opera.com IN A: no-signature
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question opera.com IN SOA: no-signature
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question sitecheck.opera.com IN A: no-signature
Sep 15 09:25:52 aries systemd-resolved[487]: DNSSEC validation failed for question speeddials.opera.com IN A: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question com IN SOA: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question messenger.com IN DS: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question messenger.com IN SOA: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question www.messenger.com IN A: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question com IN SOA: no-signature
Sep 15 09:25:58 aries systemd-resolved[487]: DNSSEC validation failed for question opera.com IN DS: no-signature
Sep 15 09:26:03 aries systemd-resolved[487]: DNSSEC validation failed for question opera.com IN SOA: no-signature
Sep 15 09:26:03 aries systemd-resolved[487]: DNSSEC validation failed for question sitecheck.opera.com IN A: no-signature
Sep 15 09:27:05 aries sudo[6737]:    kabir : TTY=pts/2 ; PWD=/tmp/firefox-nightly/src ; USER=root ; COMMAND=/usr/bin/pacman -U /tmp/firefox-nightly/firefox-nightly-64.0a1.20180914-1-x86_64.pkg.tar.xz
Sep 15 09:27:05 aries sudo[6737]: pam_unix(sudo:session): session opened for user root by (uid=0)
Sep 15 09:27:09 aries sudo[6737]: pam_unix(sudo:session): session closed for user root
Sep 15 09:27:26 aries systemd-resolved[487]: DNSSEC validation failed for question com IN DNSKEY: no-signature
Sep 15 09:27:26 aries systemd-resolved[487]: DNSSEC validation failed for question firefoxusercontent.com IN DS: no-signature
Sep 15 09:27:26 aries systemd-resolved[487]: DNSSEC validation failed for question firefoxusercontent.com IN SOA: no-signature
Sep 15 09:27:26 aries systemd-resolved[487]: DNSSEC validation failed for question firefoxusercontent.com IN A: no-signature

Today's pacman log:

[2018-09-14 18:33] [PACMAN] starting full system upgrade
[2018-09-15 05:59] [PACMAN] Running 'pacman -Syu'
[2018-09-15 05:59] [PACMAN] synchronizing package lists
[2018-09-15 05:59] [PACMAN] starting full system upgrade
[2018-09-15 06:00] [ALPM] transaction started
[2018-09-15 06:00] [ALPM] upgraded libsystemd (239.0-2 -> 239.2-1)
[2018-09-15 06:00] [ALPM] upgraded libpng (1.6.34-2 -> 1.6.35-1)
[2018-09-15 06:00] [ALPM] installed audit (2.8.4-1)
[2018-09-15 06:00] [ALPM] upgraded systemd (239.0-2 -> 239.2-1)
[2018-09-15 06:00] [ALPM] upgraded compton (1.0-1 -> 2.0-1)
[2018-09-15 06:00] [ALPM] upgraded libidn (1.34-2 -> 1.35-1)
[2018-09-15 06:00] [ALPM] upgraded linux (4.18.6.arch1-1 -> 4.18.7.arch1-1)
[2018-09-15 06:00] [ALPM] upgraded linux-headers (4.18.6.arch1-1 -> 4.18.7.arch1-1)
[2018-09-15 06:00] [ALPM] upgraded nvidia (396.54-3 -> 396.54-4)
[2018-09-15 06:00] [ALPM] upgraded sudo (1.8.25-1 -> 1.8.25.p1-1)
[2018-09-15 06:00] [ALPM] upgraded systemd-sysvcompat (239.0-2 -> 239.2-1)
[2018-09-15 06:00] [ALPM] upgraded zsh (5.6.1-1 -> 5.6.2-1)
[2018-09-15 06:00] [ALPM] transaction completed
[2018-09-15 06:00] [ALPM] running '60-linux.hook'...
[2018-09-15 06:00] [ALPM] running '90-linux-lts.hook'...
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-lts.preset: 'default'
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-lts -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-lts.img
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Starting build: 4.14.69-1-lts
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [resume]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [autodetect]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [fsck]
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-lts.img
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Image generation successful
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-lts.preset: 'fallback'
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux-lts -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-lts-fallback.img -S autodetect
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Starting build: 4.14.69-1-lts
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [resume]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: wd719x
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: aic94xx
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [fsck]
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-lts-fallback.img
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Image generation successful
[2018-09-15 06:00] [ALPM] running '90-linux.hook'...
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Starting build: 4.18.7-arch1-1-ARCH
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [resume]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [autodetect]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [fsck]
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Image generation successful
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> Starting build: 4.18.7-arch1-1-ARCH
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [base]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [udev]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [resume]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [modconf]
[2018-09-15 06:00] [ALPM-SCRIPTLET]   -> Running build hook: [block]
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: wd719x
[2018-09-15 06:00] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: aic94xx
[2018-09-15 06:01] [ALPM-SCRIPTLET]   -> Running build hook: [filesystems]
[2018-09-15 06:01] [ALPM-SCRIPTLET]   -> Running build hook: [keyboard]
[2018-09-15 06:01] [ALPM-SCRIPTLET]   -> Running build hook: [fsck]
[2018-09-15 06:01] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2018-09-15 06:01] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
[2018-09-15 06:01] [ALPM-SCRIPTLET] ==> Image generation successful
[2018-09-15 06:01] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-catalog.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-daemon-reload.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-hwdb.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-sysctl.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-sysusers.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-tmpfiles.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-udev-reload.hook'...
[2018-09-15 06:01] [ALPM] running 'systemd-update.hook'...
[2018-09-15 06:01] [ALPM] running 'texinfo-install.hook'...
[2018-09-15 06:01] [ALPM] running 'update-desktop-database.hook'...
[2018-09-15 06:15] [PACMAN] Running 'pacman -Syu'
[2018-09-15 06:15] [PACMAN] synchronizing package lists
[2018-09-15 06:15] [PACMAN] starting full system upgrade
[2018-09-15 07:27] [PACMAN] Running 'pacman -Syu'
[2018-09-15 07:27] [PACMAN] synchronizing package lists
[2018-09-15 07:27] [PACMAN] starting full system upgrade
[2018-09-15 08:33] [PACMAN] Running 'pacman -Syu'
[2018-09-15 08:33] [PACMAN] synchronizing package lists
[2018-09-15 08:33] [PACMAN] starting full system upgrade
[2018-09-15 09:22] [PACMAN] Running '/usr/bin/pacman -U /tmp/firefox-nightly/firefox-nightly-64.0a1.20180914-1-x86_64.pkg.tar.xz'
[2018-09-15 09:22] [ALPM] transaction started
[2018-09-15 09:22] [ALPM] upgraded firefox-nightly (64.0a1.20180913-1 -> 64.0a1.20180914-1)
[2018-09-15 09:22] [ALPM] transaction completed
[2018-09-15 09:22] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 09:22] [ALPM] running 'systemd-update.hook'...
[2018-09-15 09:22] [ALPM] running 'update-desktop-database.hook'...
[2018-09-15 09:23] [PACMAN] Running 'pacman -S firefox'
[2018-09-15 09:23] [ALPM] transaction started
[2018-09-15 09:23] [ALPM] installed hunspell-en_US (2018.04.16-5)
[2018-09-15 09:23] [ALPM] installed firefox (62.0-1)
[2018-09-15 09:23] [ALPM] transaction completed
[2018-09-15 09:23] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 09:23] [ALPM] running 'systemd-update.hook'...
[2018-09-15 09:23] [ALPM] running 'update-desktop-database.hook'...
[2018-09-15 09:24] [PACMAN] Running 'pacman -Rns firefox-nightly'
[2018-09-15 09:24] [ALPM] transaction started
[2018-09-15 09:24] [ALPM] removed firefox-nightly (64.0a1.20180914-1)
[2018-09-15 09:24] [ALPM] transaction completed
[2018-09-15 09:24] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 09:24] [ALPM] running 'systemd-update.hook'...
[2018-09-15 09:24] [ALPM] running 'update-desktop-database.hook'...
[2018-09-15 09:27] [PACMAN] Running '/usr/bin/pacman -U /tmp/firefox-nightly/firefox-nightly-64.0a1.20180914-1-x86_64.pkg.tar.xz'
[2018-09-15 09:27] [ALPM] transaction started
[2018-09-15 09:27] [ALPM] installed firefox-nightly (64.0a1.20180914-1)
[2018-09-15 09:27] [ALPM] transaction completed
[2018-09-15 09:27] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 09:27] [ALPM] running 'systemd-update.hook'...
[2018-09-15 09:27] [ALPM] running 'update-desktop-database.hook'...
[2018-09-15 09:27] [PACMAN] Running 'pacman -Rns firefox'
[2018-09-15 09:27] [ALPM] transaction started
[2018-09-15 09:27] [ALPM] removed firefox (62.0-1)
[2018-09-15 09:27] [ALPM] removed hunspell-en_US (2018.04.16-5)
[2018-09-15 09:27] [ALPM] transaction completed
[2018-09-15 09:27] [ALPM] running 'gtk-update-icon-cache.hook'...
[2018-09-15 09:27] [ALPM] running 'systemd-update.hook'...
[2018-09-15 09:27] [ALPM] running 'update-desktop-database.hook'...

At the time of receiving these failed validation messages DNSSEC was commented out in resolved.conf.
Later on I changed it to true and then allow-downgrade but it didn't stop the validation failed messages.

Any tips / suggestions?
Thanks!

edit: setting DNSSEC=off in resolved.conf fixes the issue, but is it ok to do so or should this be handled differently?

Last edited by Kabir (2018-09-18 15:01:33)

olive · 2018-09-17 15:45:35

What DNS are you using? In my personal case, I connect to the internet via an ADSL modem. The modem provides the computer with an IP address (192.168.1.x) and DNS via DHCP. The DNS they provide is 192.168.1.1 i.e. the address of the modem itself. The modem reroute DNS queries to the DNS of my ISP and does some caching. With this configuration, resolved fails in the same way as you describe unless I turn DNSSEC off. However if I force the computer to use the DNS address 8.8.8.8 directly, then resolved works as expected with DNSSEC enabled. I do not know well what DNSSEC is but I have read that it is a security extension of DNS. I presume that the modem or the DNS of my ISP does not support the extension, hence the failure.

Kabir · 2018-09-18 03:20:16

My internet set up is somewhat similar to yours, other than I had asked my ISP to provide me the DNS servers so I could use them manually via the VDSL modem they provided.
And the DNS servers are different (202.56.215.54/55 and 4.2.2.2) from the modems IP address (192.168.1.1) in my case. The modem uses DHCP and the nameservers reflected in
/run/systemd/resolve/resolv.conf are 202.56.215.54 and 59.144.144.100. DNSSEC validation doesnt work for me at all, whether I set it to allow-downgrade or true,
in fact if I dont turn it off websites dont open.

olive · 2018-09-18 06:52:01

@Kabir you didn't do what I suggested. I suspect the culprit is your DNS that does not support DNSSEC or support it in a buggy way that prevents the allow downgrade to fail. Before going further you should force your computer to use 8.8.8.8 directly. This is a public DNS server (maintained by Google) that work well with DNSSEC. How to do that depends on the way you configure the internet. You should normally set an option that tells your computer to acquire an address by DHCP but use 8.8.8.8 for DNS. This address should appear in /etc/resolv.conf (that is linked to /run/systemd/resolve/resolv.conf). If the 8.8.8.8 address works as expected, we will know that the culprit is your DNS. If the problem remains, then we should investigate further.

Kabir · 2018-09-18 15:01:06

Yes you're absolutely right! I got DNSSEC to work with google's DNS server And I confirmed with my ISP, their servers don't support DNSSEC. Is it alright if I ditch my ISP's servers and switch to google's ?

olive · 2018-09-18 15:03:22

Yes you can use the Google DNS that are very reliable (most probably more reliable than ISP provided DNS).

Kabir · 2018-09-18 15:06:19

Awesome! Thanks!

bulletmark · 2018-09-20 22:02:57

I've had odd DNS problems for the last week or so on both my Arch notebook and PC. I originally thought it was something to do with my internet provider's DNS so I changed my router DHCP server to hand out Google DNS and the problem went away. However yesterday I was out and tried to hotspot my notebook from my phone and had the problem again so I realized it was Arch related. It seems the issue is due to this change which was included in the systemd 239.0-2 -> 239.2-1 update on 14-Sep. I've changed DNSSEC=no in /etc/systemd/resolved.conf on all my Arch boxes (including Arch ARM and Arch32 etc) to avoid this issue but I am very surprised it has not affected many more people.

Last edited by bulletmark (2018-09-21 00:32:59)

Ochi · 2018-09-21 15:48:25

I'm also surprised that not more people are reporting problems. At work (ipv4 only), I wasn't able to ping Google servers (google.com, youtube.com) at all without settings DNSSEC=no. At home, resolving hosts sometimes takes a long time before ping starts working (using an ipv6 address, in case that matters). Some services (discord in browser) don't seem to be able to connect at all without setting DNSSEC=no.

Kabir · 2018-09-21 16:36:38

I haven't had any problem after changing the DNS in my router / modem and adding it in /etc/systemd/resolved.conf

[Resolve]
DNS=8.8.8.8 8.8.4.4
FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
#Domains=
#LLMNR=yes
#MulticastDNS=yes
DNSSEC=allow-downgrade
#DNSSEC=true
#DNSOverTLS=no
#Cache=yes
#DNSStubListener=udp

Google's DNS shows up in /run/systemd/resolve/resolv.conf, and on connecting the phone to the house wifi I can see Google's DNS servers
listed in the phone's network settings. But if I were to use the phone's mobile data and then create a hotspot I would have to root the device
to change its DNS, otherwise it won't work if the service provider of the phone doesn't support DNSSEC. Is that what you meant @bulletmark?

olive · 2018-09-21 16:56:42

@Kabir. If you want that the phone itself uses Google DNS, this a purely Android question which does not belong to this forum. However, if you want that the computer connected to the phone hotspot uses Google DNS, that's a setting that you can do with the computer. You should instruct the computer to accept the DHCP provided address but to override the DHCP provided DNS with the Google one (8.8.8.8) instead. How this is done depends on the way you configure the internet (o the computer). In the network manager applet, this is a simple option in the configuration. If you use systemd-network, just put an option saying DNS=8.8.8.8 in the network section. You should find a similar option if you use another tool. You can also use this trick if you connect to an access point that you can't manage.

Last edited by olive (2018-09-21 16:58:56)

Toolybird · 2018-09-22 00:08:08

bulletmark wrote:

I've changed DNSSEC=no in /etc/systemd/resolved.conf on all my Arch boxes (including Arch ARM and Arch32 etc) to avoid this issue but I am very surprised it has not affected many more people.

I had to disable DNSSEC too, but my circumstances were slightly different.

Using Google Public DNS here and and I noticed a large performance drop in lookups while browsing. DNSSEC is documented as having a performance penalty but I was surprised how much it hurt.

bulletmark · 2018-09-22 02:59:50

Kabir wrote:

otherwise it won't work if the service provider of the phone doesn't support DNSSEC. Is that what you meant @bulletmark?

Read the Arch bug I linked to in my post above. In short, Arch recently changed the system default DNSSEC setting from "no" to "allow-downgrade". That apparently should fallback and still work for non-DNSSEC supporting servers but in practice the fallback does not seem to work in many cases.

jkhsjdhjs · 2018-09-26 15:36:02

The DNS servers of my ISP also don't support DNSSEC, had to disable DNSSEC too.
In my opinion this change should be reverted until systemd-resolved's fallback works.

There's an open systemd issue at github that might be the problem we're experiencing here. It has a pull request which hasn't been merged yet.

Arch Linux

#1 2018-09-15 04:19:31

[SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#2 2018-09-17 15:45:35

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#3 2018-09-18 03:20:16

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#4 2018-09-18 06:52:01

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#5 2018-09-18 15:01:06

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#6 2018-09-18 15:03:22

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#7 2018-09-18 15:06:19

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#8 2018-09-20 22:02:57

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#9 2018-09-21 15:48:25

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#10 2018-09-21 16:36:38

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#11 2018-09-21 16:56:42

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#12 2018-09-22 00:08:08

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#13 2018-09-22 02:59:50

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

#14 2018-09-26 15:36:02

Re: [SOLVED] systemd-resolved: DNSSEC validation failed, no-signature

Board footer