You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Linux buildroot 5.14.11 #1 SMP Sat Oct 23 05:21:36 MDT 2021 x86_64 GNU/Linux
CPU architecture issue was seen on
x86_64
Expected behaviour you didn't see
Systemd should fallback to using packets without any DNSSEC features if a resolver fails to respond(times out) to DNS packets using DNSSEC features like the "Checking Disabled" bit in allow-downgrade mode.
Unexpected behaviour you saw
Systemd keeps retrying unsuccessfully to query a resolver that does not support the "Checking Disabled" flag without falling back to regular DNS request with the "Checking Disabled" bit removed on request timeout. For some reason the dns server I'm hitting this issue with does allow the "Checking Disabled" bit to be set for private tld's, however those responses are of course unvalidated. The router/dns server appears to be a tp-link TL-WDR8690.
Steps to reproduce the problem
Run systemd with DNSOverTLS=opportunistic DNSSEC=allow-downgrade set with a dhcp assigned DNS server that does not respond to requests if the "Checking Disabled" bit is set.
Additional program output to the terminal or log subsystem illustrating the issue
Oct 21 02:27:55 buildroot systemd-resolved[211]: Using feature level UDP for transaction 59363.
Oct 21 02:27:55 buildroot systemd-resolved[211]: Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 40
Oct 21 02:27:55 buildroot systemd-resolved[211]: Sending query packet with id 59363 of size 40.
Oct 21 02:27:55 buildroot systemd-resolved[211]: Timeout reached on transaction 3233.
Oct 21 02:27:55 buildroot systemd-resolved[211]: Retrying transaction 3233, after switching servers.
Oct 21 02:27:55 buildroot systemd-resolved[211]: Cache miss for bing.com IN A
Oct 21 02:27:55 buildroot systemd-resolved[211]: Firing regular transaction 3233 for <bing.com IN A> scope dns on enp1s0/* (validate=yes).
Oct 21 02:27:55 buildroot systemd-resolved[211]: Using feature level UDP for transaction 3233.
Oct 21 02:27:55 buildroot systemd-resolved[211]: Emitting UDP, link MTU is 1500, socket MTU is 1500, minimal MTU is 40
Oct 21 02:27:55 buildroot systemd-resolved[211]: Sending query packet with id 3233 of size 26.
Note that even though the resolved transaction feature level appears to be "UDP" wireshark traces show the DNSSEC flag "Checking Disabled" flag is still present which causes the router's DNS server to fail to respond at all to queries(except private domain/tld queries).
# resolvectl --no-pager
Global
Protocols: +LLMNR +mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/unsupported
resolv.conf mode: uplink
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google
2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google
Link 2 (enp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/unsupported
Current DNS Server: 192.168.0.101
DNS Servers: 192.168.0.101
Link 3 (sit0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Link 4 (wlp2s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Link 5 (wg2)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Link 6 (wg0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Link 7 (wg1)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/supported
Is it normal to have validate=yes:
Oct 21 02:27:55 buildroot systemd-resolved[211]: Firing regular transaction 3233 for <bing.com IN A> scope dns on enp1s0/* (validate=yes).
on a link with allow-downgrade/unsupported?:
Link 2 (enp1s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS DNSOverTLS=opportunistic DNSSEC=allow-downgrade/unsupported
Current DNS Server: 192.168.0.101
DNS Servers: 192.168.0.101
# dig @192.168.0.101 bing.com +noadflag +noedns +cdflag
; <<>> DiG 9.11.35 <<>> @192.168.0.101 bing.com +noadflag +noedns +cdflag
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
# dig @192.168.0.101 bing.com +noadflag +noedns +nocdflag
; <<>> DiG 9.11.35 <<>> @192.168.0.101 bing.com +noadflag +noedns +nocdflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31049
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;bing.com. IN A
;; ANSWER SECTION:
bing.com. 60 IN A 13.107.21.200
bing.com. 60 IN A 204.79.197.200
;; Query time: 0 msec
;; SERVER: 192.168.0.101#53(192.168.0.101)
;; WHEN: Sun Oct 24 09:22:38 UTC 2021
;; MSG SIZE rcvd: 58
# dig @192.168.0.101 tplogin.cn +noadflag +noedns +cdflag
; <<>> DiG 9.11.35 <<>> @192.168.0.101 tplogin.cn +noadflag +noedns +cdflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43498
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tplogin.cn. IN A
;; ANSWER SECTION:
tplogin.cn. 0 IN A 192.168.0.101
;; Query time: 0 msec
;; SERVER: 192.168.0.101#53(192.168.0.101)
;; WHEN: Sun Oct 24 09:24:33 UTC 2021
;; MSG SIZE rcvd: 44
# dig @192.168.0.101 tplogin.cn +noadflag +noedns +nocdflag
; <<>> DiG 9.11.35 <<>> @192.168.0.101 tplogin.cn +noadflag +noedns +nocdflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41458
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tplogin.cn. IN A
;; ANSWER SECTION:
tplogin.cn. 0 IN A 192.168.0.101
;; Query time: 0 msec
;; SERVER: 192.168.0.101#53(192.168.0.101)
;; WHEN: Sun Oct 24 09:25:05 UTC 2021
;; MSG SIZE rcvd: 44
The text was updated successfully, but these errors were encountered:
systemd version the issue has been seen with
Used distribution
Linux kernel version used (
uname -a
)CPU architecture issue was seen on
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
Additional program output to the terminal or log subsystem illustrating the issue
Note that even though the resolved transaction feature level appears to be "UDP" wireshark traces show the DNSSEC flag "Checking Disabled" flag is still present which causes the router's DNS server to fail to respond at all to queries(except private domain/tld queries).
Is it normal to have
validate=yes
:on a link with
allow-downgrade/unsupported
?:The text was updated successfully, but these errors were encountered: