resolved: non-address lookups fail with unsupported DNSSEC #5029
Description
Submission type
- Bug report
- Request for enhancement (RFE)
systemd version the issue has been seen with
232, git master
Used distribution
Fedora 25, Ubuntu zesty
While writing a test case for PR #4808 I stumbled over an unrelated resolved bug: Our dnsmasq test server does not support DNSSEC, and the test is trying to do an MX lookup which fails due to some buggy fallback.
This is reproducible with our tests when dropping the workaround:
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -507,14 +507,6 @@ Domains= ~company ~lab''')
def test_resolved_etc_hosts(self):
'''resolved queries to /etc/hosts'''
- # FIXME: -t MX query fails with enabled DNSSEC (even when using
- # the known negative trust anchor .internal instead of .example)
- conf = '/run/systemd/resolved.conf.d/test-disable-dnssec.conf'
- os.makedirs(os.path.dirname(conf), exist_ok=True)
- with open(conf, 'w') as f:
- f.write('[Resolve]\nDNSSEC=no')
- self.addCleanup(os.remove, conf)
-
# create /etc/hosts bind mount which resolves my.example for IPv4
hosts = os.path.join(self.workdir, 'hosts')
with open(hosts, 'w') as f:$ test/networkd-test.py -f DnsmasqClientTest.test_resolved_etc_hosts
[...]
ERROR: test_resolved_etc_hosts (__main__.DnsmasqClientTest)
resolved queries to /etc/hosts
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/martin/upstream/systemd/test/networkd-test.py", line 541, in test_resolved_etc_hosts
out = subprocess.check_output(['systemd-resolve', '--type=MX', 'example'])
File "/usr/lib64/python3.5/subprocess.py", line 626, in check_output
**kwargs).stdout
File "/usr/lib64/python3.5/subprocess.py", line 708, in run
output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['systemd-resolve', '--type=MX', 'example']' returned non-zero exit status 1
Under Ubuntu the resolved log shows:
systemd-resolved[21055]: Server 192.168.5.1 does not support DNSSEC, downgrading to non-DNSSEC mode
systemd-resolved[21055]: DNSSEC validation failed for question other.intranet IN A: failed-auxiliary
Under Fedora (in nspawn) it looks even weirder:
Jan 05 18:06:08 systemd systemd-resolved[282]: Switching to DNS server 192.168.5.1 for interface test_eth42.
Jan 05 18:06:08 systemd systemd-resolved[282]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 192.168.5.1.
Jan 05 18:06:12 systemd systemd-resolved[282]: Switching to DNS server 2600::1 for interface test_eth42.
Jan 05 18:06:12 systemd systemd-resolved[282]: Using degraded feature set (UDP+EDNS0+DO) for DNS server 2600::1.
Jan 05 18:06:16 systemd systemd-resolved[282]: Switching to DNS server fe80::ac9b:d5ff:fe97:a7a5%12 for interface test_eth42.
Jan 05 18:06:16 systemd systemd-resolved[282]: Using degraded feature set (UDP+EDNS0+DO) for DNS server fe80::ac9b:d5ff:fe97:a7a5%12.
Jan 05 18:06:21 systemd systemd-resolved[282]: Switching to DNS server 192.168.5.1 for interface test_eth42.
and no error messages, but dnsmasq gets spammed until it gives up:
Jan 5 18:06:25 dnsmasq[279]: query[SOA] example from fe80::ac9b:d5ff:fe97:a7a5
Jan 5 18:06:25 dnsmasq[279]: forwarded example to fe80::ac9b:d5ff:fe97:a7a5
Jan 5 18:06:25 dnsmasq[279]: query[SOA] example from fe80::ac9b:d5ff:fe97:a7a5
Jan 5 18:06:25 dnsmasq[279]: forwarded example to fe80::ac9b:d5ff:fe97:a7a5
Jan 5 18:06:25 dnsmasq[279]: Maximum number of concurrent DNS queries reached (max: 150)
I figure this is because of some different dnsmasq behaviour or different "real" nameservers in /etc/resolv.conf. But it works in both environmens without DNSSEC.
I didn't track this down further yet, but filing this now to avoid forgetting about it.