Hi,

Running debian unstable with systemd 232-7 (compiled with "Default DNSSEC mode: allow-downgrade")

My resolver is set to my ISP box (this is different from my last DNS/DNSSEC issues with resolved) that doesn't seems to support DNSSEC.

From time to time, DNS resolution fails completely for a few seconds.

When the problem occurs I'm seeing the following messages:

déc 11 19:58:51 fornost systemd-resolved[1190]: Switching to system DNS server 192.168.1.1.
déc 11 19:58:51 fornost systemd-resolved[1190]: Grace period over, resuming full feature set (UDP+EDNS0+DO+LARGE) for DNS server 192.168.1.1.
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question org IN DNSKEY: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question org IN SOA: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question debian.org IN DS: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question debian.org IN DNSKEY: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question nl.debian.org IN DS: no-signature
déc 11 19:58:51 fornost systemd-resolved[1190]: DNSSEC validation failed for question nl.debian.org IN SOA: no-signature
[...]
déc 11 19:59:29 fornost systemd-resolved[1190]: Switching to system DNS server fe80::9e97:26ff:fe92:c82%2.
déc 11 19:59:29 fornost systemd-resolved[1190]: Switching to system DNS server 192.168.1.1.
déc 11 19:59:29 fornost systemd-resolved[1190]: Using degraded feature set (UDP+EDNS0) for DNS server 192.168.1.1.

I see the messages about "no-signature" at all time (even when there is no issues)

$ grep -e ^hosts /etc/nsswitch.conf 
hosts:          files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns mdns4 mymachines