DNS server marked as DNSSEC-incompatible after query for domain in NTA #11171
Labels
dnssec
needs-reporter-feedback ❓
There's an unanswered question, the reporter needs to answer
resolve
systemd version the issue has been seen with
Used distribution
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
Connect to a network using an OpenWrt 18.06.1 router (or probably any other router using dnsmasq with an internal
.lanzone, which is found in system-resolved's default NTA). I assume that the router has the host namegw, so that it responds for the FQDNgw.lan.Observe how a lookup for an FQDN/RR that the OpenWrt/dnsmasq has an answer for gets treated just fine:
As mentioned earlier, from this point on systemd-resolved consideres the server DNSSEC-incompatible for all queries, not just for the
*.lanones.The same thing happens for
Aqueries for non-existent hostnames (e.g.,systemd-resolve nonexistent.lan -t A), or for other non-existent types for hostnames that do exist (e.g.,systemd-resolve gw.lan -t TXT).I'm attaching two outputs from
tsharkthat shows the traffic between systemd-resolved and the upstream OpenWrt/dnsmasq server that happens as a result of the two commands above:-t Aquery that doesn't cause any subsequent issues-t AAAAquery that causes DNSSEC to be disabledI'd like to point out two differences between them:
This inconsistency might be considered a bug in dnsmasq, so I would understand it if this issue gets closed as «someone else's problem», assuming it is the reason why systemd-resolved behaves the way it does.
On the other hand, dnsmasq is an immensely popular DNS proxy/cache embedded in many home gateway products. Even if I was able to get this fixed in dnsmasq upstream, it will take a very long time before the current behaviour is no longer being encountered in the wild. Therefore, I'm thinking that this is something systemd-resolved could (or maybe even should, taking the robustness principle into account) potentially handle better to the benefit of its users.
The text was updated successfully, but these errors were encountered: