You are not logged in.

Pages: 1

#1 2020-04-21 11:23:56

thenextdon13
Member
Registered: 2013-01-18
Posts: 58

Default resolved.conf dnssec config breaks dns in some instances

It seems that the default resolved.conf combined with the default  nsswitch.conf  dnssec config breaks dns in some instances, due perhaps to this systemd / resolved bug:
https://github.com/systemd/systemd/issues/10579  (or perhaps some other newer bug?)

Is there anything that can be done / bugs filed to change the defaults for arch?  Or put a note on the wiki page for systemd-resolved ?  or has this already been discussed...

Here's the default configuration that had me chasing around weird ping and ssh resolution issues when host and nslookup worked fine

[kodiuser@kodiarch ~]$ grep hosts /etc/nsswitch.conf
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ grep DNSSEC /etc/systemd/resolved.conf 
#DNSSEC=allow-downgrade
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ sudo resolvectl dnssec 
Global: allow-downgrade
Link 3 (wlp1s0): allow-downgrade
Link 2 (eno1): allow-downgrade
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ resolvectl query bigbox
bigbox: resolve call failed: DNSSEC validation failed: no-signature
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ ping bigbox
ping: bigbox: Name or service not known
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ host bigbox
bigbox.dryhollow has address 192.168.11.10
[kodiuser@kodiarch ~]$


Here i've set resolvectl dnssec to 'no', and it fixes the problem

[kodiuser@kodiarch ~]$ grep hosts /etc/nsswitch.conf
hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ grep DNSSEC /etc/systemd/resolved.conf 
#DNSSEC=allow-downgrade
DNSSEC= no
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ sudo resolvectl dnssec 
Global: no
Link 3 (wlp1s0): no
Link 2 (eno1): no
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ resolvectl query bigbox
bigbox: 192.168.11.10                          -- link: eno1
        (bigbox.dryhollow)

-- Information acquired via protocol DNS in 2.1ms.
-- Data is authenticated: no
[kodiuser@kodiarch ~]$ 

[kodiuser@kodiarch ~]$ ping bigbox
PING bigbox.dryhollow (192.168.11.10) 56(84) bytes of data.
64 bytes from bigbox.dryhollow (192.168.11.10): icmp_seq=1 ttl=64 time=0.576 ms
^C
--- bigbox.dryhollow ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.576/0.576/0.576/0.000 ms
[kodiuser@kodiarch ~]$

Offline

#2 2020-04-21 11:39:31

thenextdon13
Member
Registered: 2013-01-18
Posts: 58

Re: Default resolved.conf dnssec config breaks dns in some instances

Aaaand i just checked the wiki page, and see that there is a note there.
Sorry for the noise
https://wiki.archlinux.org/index.php/Sy … ved#DNSSEC

Offline

Pages: 1

Board footer

Powered by FluxBB