-
-
Notifications
You must be signed in to change notification settings - Fork 4.3k
Description
Hi,
Running debian unstable with systemd 232-7 (compiled with "Default DNSSEC mode: allow-downgrade")
My resolver is set to my ISP box (this is different from my last DNS/DNSSEC issues with resolved) that doesn't seems to support DNSSEC.
From time to time, DNS resolution fails completely for a few seconds.
When the problem occurs I'm seeing the following messages:
déc 11 19:58:51 fornost systemd-resolved[1190]: Switching to system DNS server 192.168.1.1.
déc 11 19:58:51 fornost systemd-resolved[1190]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS server 192.168.1.1.
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question org IN DNSKEY: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question org IN SOA: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question debian.org IN DS: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question debian.org IN DNSKEY: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question nl.debian.org IN DS: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question nl.debian.org IN SOA: no-signature
[...]
déc 11 19:59:29 fornost systemd-resolved[1190]: Switching to system DNS server fe80::9e97:26ff:fe92:c82%2.
déc 11 19:59:29 fornost systemd-resolved[1190]: Switching to system DNS server 192.168.1.1.
déc 11 19:59:29 fornost systemd-resolved[1190]: Using degraded feature set (UDP+EDNS0) for DNS server 192.168.1.1.
I see the messages about "no-signature" at all time (even when there is no issues)
$ grep -e ^hosts /etc/nsswitch.conf
hosts: files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns mdns4 mymachines