Skip to content

systemd-resolved: resolve call failed: DNSSEC validation failed: failed-auxiliary #4003

New issue
New issue
Closed
Closed
systemd-resolved: resolve call failed: DNSSEC validation failed: failed-auxiliary#4003
Labels
needs-reporter-feedback ❓There's an unanswered question, the reporter needs to answerresolve
@mikken

Description

@mikken
mikken
opened on Aug 20, 2016

Submission type

  • Bug report

systemd version the issue has been seen with

231

Used distribution

Gentoo

Unexpected behaviour you saw

I see a failed resolution with some domain names, this is one example:

systemd-resolve echo.msk.ru
echo.msk.ru: resolve call failed: DNSSEC validation failed: failed-auxiliary

I saw similar reports in already closed bugs, but they seem to be fixed by v231 and this happens in v231.
I can reproduce with both DNSSEC=yes and DNSSEC=allow-downrade.
My upstream Unbound server with DNSSEC checks enabled sees no problem with these names.

Some logs:

Positive Trust Anchors:
. IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa corp home internal intranet lan local private test
Using system hostname 'melforce'.
New scope on link *, protocol dns, family *
Found new link 5/vboxnet0
Found new link 4/vpn0
Found new link 3/br0
Found new link 2/eth0
Found new link 1/lo
New scope on link eth0, protocol dns, family *
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello cookie=1 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=1 reply_cookie=1 error=n/a
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RequestName cookie=2 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=4 reply_cookie=2 error=n/a
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=3 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=5 reply_cookie=3 error=n/a
Got message type=signal sender=org.freedesktop.DBus destination=:1.7625 object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=2 reply_cookie=0 error=n/a
Got message type=signal sender=org.freedesktop.DBus destination=:1.7625 object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=NameAcquired cookie=3 reply_cookie=0 error=n/a
Got message type=method_call sender=:1.7626 destination=org.freedesktop.resolve1 object=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname cookie=2 reply_cookie=0 error=n/a
Looking up RR for echo.msk.ru IN A.
Looking up RR for echo.msk.ru IN AAAA.
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=4 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=6 reply_cookie=4 error=n/a
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=5 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=7 reply_cookie=5 error=n/a
Cache miss for echo.msk.ru IN A
Transaction 10489 for <echo.msk.ru IN A> scope dns on */*.
Transaction 10489 for <echo.msk.ru IN A> on scope dns on */* now complete with <no-servers> from none (unsigned).
Cache miss for echo.msk.ru IN AAAA
Transaction 64922 for <echo.msk.ru IN AAAA> scope dns on */*.
Transaction 64922 for <echo.msk.ru IN AAAA> on scope dns on */* now complete with <no-servers> from none (unsigned).
Switching to DNS server 192.168.1.6 for interface eth0.
Cache miss for echo.msk.ru IN A
Transaction 59745 for <echo.msk.ru IN A> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 59745.
Using DNS server 192.168.1.6 for transaction 59745.
Sending query packet with id 59745.
Cache miss for echo.msk.ru IN AAAA
Transaction 60331 for <echo.msk.ru IN AAAA> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 60331.
Using DNS server 192.168.1.6 for transaction 60331.
Sending query packet with id 60331.
Processing incoming packet on transaction 59745.
Verified we get a response at feature level UDP+EDNS0+DO from DNS server 192.168.1.6.
Requesting SOA to validate transaction 59745 (echo.msk.ru, unsigned non-SOA/NS RRset <echo.msk.ru IN A 190.115.28.10>).
Cache miss for echo.msk.ru IN SOA
Transaction 27080 for <echo.msk.ru IN SOA> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 27080.
Using DNS server 192.168.1.6 for transaction 27080.
Sending query packet with id 27080.
Processing incoming packet on transaction 60331.
Requesting SOA to validate transaction 60331 (echo.msk.ru, unsigned empty non-SOA/NS/DS response).
Processing incoming packet on transaction 27080.
Requesting DS to validate transaction 27080 (echo.msk.ru, unsigned SOA/NS RRset).
Cache miss for echo.msk.ru IN DS
Transaction 43171 for <echo.msk.ru IN DS> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 43171.
Using DNS server 192.168.1.6 for transaction 43171.
Sending query packet with id 43171.
Processing incoming packet on transaction 43171.
Requesting DNSKEY to validate transaction 43171 (O3B20RS3AQ050A8ODKR8SVJFOO58JV03.msk.ru, RRSIG with key tag: 42318).
Cache miss for msk.ru IN DNSKEY
Transaction 6326 for <msk.ru IN DNSKEY> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 6326.
Using DNS server 192.168.1.6 for transaction 6326.
Sending query packet with id 6326.
Requesting DNSKEY to validate transaction 43171 (msk.ru, RRSIG with key tag: 42318).
Processing incoming packet on transaction 6326.
Requesting DS to validate transaction 6326 (msk.ru, DNSKEY with key tag: 42318).
Cache miss for msk.ru IN DS
Transaction 24036 for <msk.ru IN DS> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 24036.
Using DNS server 192.168.1.6 for transaction 24036.
Sending query packet with id 24036.
Requesting DS to validate transaction 6326 (msk.ru, DNSKEY with key tag: 63316).
Processing incoming packet on transaction 24036.
Requesting DNSKEY to validate transaction 24036 (msk.ru, RRSIG with key tag: 53664).
Cache miss for ru IN DNSKEY
Transaction 15397 for <ru IN DNSKEY> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 15397.
Using DNS server 192.168.1.6 for transaction 15397.
Sending query packet with id 15397.
Processing incoming packet on transaction 15397.
Requesting DS to validate transaction 15397 (ru, DNSKEY with key tag: 53664).
Cache miss for ru IN DS
Transaction 29365 for <ru IN DS> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 29365.
Using DNS server 192.168.1.6 for transaction 29365.
Sending query packet with id 29365.
Requesting DS to validate transaction 15397 (ru, DNSKEY with key tag: 30526).
Processing incoming packet on transaction 29365.
Requesting DNSKEY to validate transaction 29365 (ru, RRSIG with key tag: 46551).
Cache miss for . IN DNSKEY
Transaction 6394 for <. IN DNSKEY> scope dns on eth0/*.
Using feature level UDP+EDNS0+DO+LARGE for transaction 6394.
Using DNS server 192.168.1.6 for transaction 6394.
Sending query packet with id 6394.
Processing incoming packet on transaction 6394.
Requesting DS to validate transaction 6394 (., DNSKEY with key tag: 19036).
Requesting DS to validate transaction 6394 (., DNSKEY with key tag: 46551).
Validating response from transaction 6394 (. IN DNSKEY).
Looking at . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJR
                            kxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtu
                            A6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwh
                            YB4N7knNnulqQxA+Uk1ihz0=
        -- Flags: SEP ZONE_KEY
        -- Key tag: 19036: validated
Found verdict for lookup . IN DNSKEY: secure
Added positive authenticated cache entry for . IN DNSKEY 7200s on */INET/192.168.1.6
Added positive authenticated cache entry for . IN DNSKEY 7200s on */INET/192.168.1.6
Transaction 6394 for <. IN DNSKEY> on scope dns on eth0/* now complete with <success> from network (authenticated).
Validating response from transaction 29365 (ru IN DS).
Looking at ru IN DS 30526 8 2 d25b218ff1a386c340712ec2694a42f12066b90c69123b4264827cdf3ae6b7a8: validated
Found verdict for lookup ru IN DS: secure
Added positive authenticated cache entry for ru IN DS 7200s on */INET/192.168.1.6
Transaction 29365 for <ru IN DS> on scope dns on eth0/* now complete with <success> from network (authenticated).
Validating response from transaction 15397 (ru IN DNSKEY).
Looking at ru IN DNSKEY 256 3 RSASHA256 AwEAAb7qCOMC2eJ9XDMWbh3tEQ5eWKu76tdmeFm4v6SVY62ki9o/zPQSDvCJ/ZT5OeLjxbrMyUIJ126v92O3Sfsw/zNO3Eut89MzhL1Bf+T
                             Op2lPRTDTdOP0eJAxUnSRcAHF9jLzVZ+sdyOssMBkzmj1XvNl9E3yUFm65/sZMeN4o/Ad
        -- Flags: ZONE_KEY
        -- Key tag: 53664: validated
Found verdict for lookup ru IN DNSKEY: secure
Added positive authenticated cache entry for ru IN DNSKEY 3869s on */INET/192.168.1.6
Added positive authenticated cache entry for ru IN DNSKEY 3869s on */INET/192.168.1.6
Transaction 15397 for <ru IN DNSKEY> on scope dns on eth0/* now complete with <success> from network (authenticated).
Validating response from transaction 24036 (msk.ru IN DS).
Looking at msk.ru IN DS 63316 8 2 5242e22d335029e01dc7c123fdaee8bdafdb30bc0f1d1bff399ff2808b25016b: validated
Found verdict for lookup msk.ru IN DS: secure
Added positive authenticated cache entry for msk.ru IN DS 4227s on */INET/192.168.1.6
Transaction 24036 for <msk.ru IN DS> on scope dns on eth0/* now complete with <success> from network (authenticated).
Validating response from transaction 6326 (msk.ru IN DNSKEY).
Looking at msk.ru IN DNSKEY 256 3 RSASHA256 AwEAAcPukUt/Qn9uUQTU8CiDJAfhmR1boxYui9jm5yzPqNqpt/A0x1k/WTLEUle+RTuXmu1j2gCeedW7AB23GaJdontBZoA1cEqwL/M
                                 ksrokjIz/lROV5NC9qFOS49ZGXEVRERRAJnH4CLXhIaNBZREsvBXfhP9IpVzlogzizmb514FB
        -- Flags: ZONE_KEY
        -- Key tag: 42318: validated
Found verdict for lookup msk.ru IN DNSKEY: secure
Added positive authenticated cache entry for msk.ru IN DNSKEY 2133s on */INET/192.168.1.6
Added positive authenticated cache entry for msk.ru IN DNSKEY 2133s on */INET/192.168.1.6
Transaction 6326 for <msk.ru IN DNSKEY> on scope dns on eth0/* now complete with <success> from network (authenticated).
Validating response from transaction 43171 (echo.msk.ru IN DS).
Looking at O3B20RS3AQ050A8ODKR8SVJFOO58JV03.msk.ru IN NSEC3 1 1 10 00ff O3B20RS3AQ050A8ODKR8SVJFOO58JV03 ( NS SOA RRSIG DNSKEY NSEC3PARAM ): validated
Found verdict for lookup O3B20RS3AQ050A8ODKR8SVJFOO58JV03.msk.ru IN NSEC3: secure
Looking at msk.ru IN SOA ns3-geo.nic.ru hostmaster.nic.ru 53895 7200 900 2592000 3600: validated
Found verdict for lookup msk.ru IN SOA: secure
Transaction 43171 for <echo.msk.ru IN DS> on scope dns on eth0/* now complete with <EINVAL> from network (unsigned).
Auxiliary DNSSEC RR query failed with errno
DNSSEC validation failed for question echo.msk.ru IN SOA: failed-auxiliary
Transaction 27080 for <echo.msk.ru IN SOA> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned).
Auxiliary DNSSEC RR query failed validation: failed-auxiliary
DNSSEC validation failed for question echo.msk.ru IN A: failed-auxiliary
Transaction 59745 for <echo.msk.ru IN A> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned).
Auxiliary DNSSEC RR query failed validation: failed-auxiliary
DNSSEC validation failed for question echo.msk.ru IN AAAA: failed-auxiliary
Transaction 60331 for <echo.msk.ru IN AAAA> on scope dns on eth0/* now complete with <dnssec-failed> from network (unsigned).
Freeing transaction 10489.
Freeing transaction 64922.
Freeing transaction 59745.
Sent message type=error sender=n/a destination=:1.7626 object=n/a interface=n/a member=n/a cookie=6 reply_cookie=2 error=DNSSEC validation failed: failed-auxiliary
Sent message type=method_call sender=n/a destination=org.freedesktop.DBus object=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=7 reply_cookie=0 error=n/a
Got message type=method_return sender=org.freedesktop.DBus destination=:1.7625 object=n/a interface=n/a member=n/a cookie=8 reply_cookie=7 error=n/a
Freeing transaction 60331.
Freeing transaction 27080.
Freeing transaction 43171.
Freeing transaction 6326.
Freeing transaction 24036.
Freeing transaction 15397.
Freeing transaction 29365.
Freeing transaction 6394.
^CRemoving scope on link eth0, protocol dns, family *
Removing scope on link *, protocol dns, family *

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-reporter-feedback ❓There's an unanswered question, the reporter needs to answerresolve

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions