We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sys-apps/systemd-255.3-r1
Gentoo
6.6.21-gentoo-dist-hardened
x86_64
resolvectl
mermaid.js.org is resolved correctly
mermaid.js.org: resolve call failed: DNSSEC validation failed: no-signature
Set DNSSEC to allow-downgrade and try to resolve mermaid.js.org
==== Resolved configuration ==== $ resolvectl status Global Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: foreign Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google DNS Domain: lan Link 2 (wlo1) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6 Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 DNS Domain: lan Link 3 (enp46s0u2u4) Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6 Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 192.168.177.11 DNS Servers: 192.168.177.11 DNS Domain: lan Link 4 (eno2) Current Scopes: none Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported ==== output of delv ==== $ delv +cd +vtrace mermaid.js.org @192.168.177.11 ;; fetch: mermaid.js.org/A ;; validating mermaid.js.org/CNAME: starting ;; validating mermaid.js.org/CNAME: attempting insecurity proof ;; validating mermaid.js.org/CNAME: checking existence of DS at 'org' ;; fetch: org/DS ;; validating org/DS: starting ;; validating org/DS: attempting positive response validation ;; fetch: ./DNSKEY ;; validating ./DNSKEY: starting ;; validating ./DNSKEY: attempting positive response validation ;; validating ./DNSKEY: verify rdataset (keyid=20326): success ;; validating ./DNSKEY: marking as secure (DS) ;; validating org/DS: in fetch_callback_dnskey ;; validating org/DS: keyset with trust secure ;; validating org/DS: resuming validate ;; validating org/DS: verify rdataset (keyid=5613): success ;; validating org/DS: marking as secure, noqname proof not needed ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: resuming proveunsecure ;; validating mermaid.js.org/CNAME: checking existence of DS at 'js.org' ;; fetch: js.org/DS ;; validating js.org/DS: starting ;; validating js.org/DS: attempting positive response validation ;; fetch: org/DNSKEY ;; validating org/DNSKEY: starting ;; validating org/DNSKEY: attempting positive response validation ;; validating org/DNSKEY: verify rdataset (keyid=26974): success ;; validating org/DNSKEY: marking as secure (DS) ;; validating js.org/DS: in fetch_callback_dnskey ;; validating js.org/DS: keyset with trust secure ;; validating js.org/DS: resuming validate ;; validating js.org/DS: verify rdataset (keyid=3093): success ;; validating js.org/DS: marking as secure, noqname proof not needed ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: resuming proveunsecure ;; validating mermaid.js.org/CNAME: checking existence of DS at 'mermaid.js.org' ;; fetch: mermaid.js.org/DS ;; validating mermaid.js.org/DS: starting ;; validating mermaid.js.org/DS: attempting negative response validation from message ;; validating js.org/SOA: starting ;; validating js.org/SOA: attempting positive response validation ;; fetch: js.org/DNSKEY ;; validating js.org/DNSKEY: starting ;; validating js.org/DNSKEY: attempting positive response validation ;; validating js.org/DNSKEY: verify rdataset (keyid=2371): success ;; validating js.org/DNSKEY: marking as secure (DS) ;; validating js.org/SOA: in fetch_callback_dnskey ;; validating js.org/SOA: keyset with trust secure ;; validating js.org/SOA: resuming validate ;; validating js.org/SOA: verify rdataset (keyid=34505): success ;; validating js.org/SOA: marking as secure, noqname proof not needed ;; validating mermaid.js.org/DS: in validator_callback_nsec ;; validating mermaid.js.org/DS: resuming validate_nx ;; validating mermaid.js.org/NSEC: starting ;; validating mermaid.js.org/NSEC: attempting positive response validation ;; validating mermaid.js.org/NSEC: keyset with trust secure ;; validating mermaid.js.org/NSEC: verify rdataset (keyid=34505): success ;; validating mermaid.js.org/NSEC: marking as secure, noqname proof not needed ;; validating mermaid.js.org/DS: in validator_callback_nsec ;; validating mermaid.js.org/DS: looking for relevant NSEC ;; validating mermaid.js.org/DS: nsec proves name exists (owner) data=0 ;; validating mermaid.js.org/DS: resuming validate_nx ;; validating mermaid.js.org/DS: nonexistence proof(s) found ;; validating mermaid.js.org/CNAME: in fetch_callback_ds ;; validating mermaid.js.org/CNAME: marking as answer (fetch_callback_ds) ;; fetch: mermaid-js.github.io/A ;; validating mermaid-js.github.io/A: starting ;; validating mermaid-js.github.io/A: attempting insecurity proof ;; validating mermaid-js.github.io/A: checking existence of DS at 'io' ;; fetch: io/DS ;; validating io/DS: starting ;; validating io/DS: attempting positive response validation ;; validating io/DS: keyset with trust secure ;; validating io/DS: verify rdataset (keyid=5613): success ;; validating io/DS: marking as secure, noqname proof not needed ;; validating mermaid-js.github.io/A: in fetch_callback_ds ;; validating mermaid-js.github.io/A: resuming proveunsecure ;; validating mermaid-js.github.io/A: checking existence of DS at 'github.io' ;; fetch: github.io/DS ;; validating github.io/DS: starting ;; validating github.io/DS: attempting negative response validation from message ;; validating io/SOA: starting ;; validating io/SOA: attempting positive response validation ;; fetch: io/DNSKEY ;; validating io/DNSKEY: starting ;; validating io/DNSKEY: attempting positive response validation ;; validating io/DNSKEY: verify rdataset (keyid=57355): success ;; validating io/DNSKEY: marking as secure (DS) ;; validating io/SOA: in fetch_callback_dnskey ;; validating io/SOA: keyset with trust secure ;; validating io/SOA: resuming validate ;; validating io/SOA: verify rdataset (keyid=22323): success ;; validating io/SOA: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: starting ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: attempting positive response validation ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: keyset with trust secure ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: verify rdataset (keyid=22323): success ;; validating h2sbcfplucgv6bjm207v541gtp2lh91t.io/NSEC3: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: starting ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: attempting positive response validation ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: keyset with trust secure ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: verify rdataset (keyid=22323): success ;; validating u92tce82j4l1t382opcath2ulsjsm9qg.io/NSEC3: marking as secure, noqname proof not needed ;; validating github.io/DS: in validator_callback_nsec ;; validating github.io/DS: resuming validate_nx ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 proves name does not exist: 'github.io' ;; validating github.io/DS: NSEC3 indicates optout ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 indicates potential closest encloser: 'io' ;; validating github.io/DS: NSEC3 at super-domain io ;; validating github.io/DS: in checkwildcard: *.io ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: looking for relevant NSEC3 ;; validating github.io/DS: NSEC3 at super-domain io ;; validating github.io/DS: in checkwildcard: *.io ;; validating github.io/DS: nonexistence proof(s) found ;; validating mermaid-js.github.io/A: in fetch_callback_ds ;; validating mermaid-js.github.io/A: marking as answer (fetch_callback_ds) ; unsigned answer mermaid.js.org. 300 IN CNAME mermaid-js.github.io. mermaid-js.github.io. 3600 IN A 185.199.108.153 mermaid-js.github.io. 3600 IN A 185.199.109.153 mermaid-js.github.io. 3600 IN A 185.199.110.153 mermaid-js.github.io. 3600 IN A 185.199.111.153
The text was updated successfully, but these errors were encountered:
dnsvis shows a few warnings. I suspect something goes wrong with the CNAME pointing from mermaid.js.org to mermaid-js.github.io.
https://dnsviz.net/d/mermaid.js.org/dnssec/
Sorry, something went wrong.
dup of #31484: that CNAME warning is fatal for us, since the dnssec path building algorithm will fail. This should be fixed by the domain operator.
No branches or pull requests
systemd version the issue has been seen with
sys-apps/systemd-255.3-r1
Used distribution
Gentoo
Linux kernel version used
6.6.21-gentoo-dist-hardened
CPU architectures issue was seen on
x86_64
Component
resolvectl
Expected behaviour you didn't see
mermaid.js.org is resolved correctly
Unexpected behaviour you saw
mermaid.js.org: resolve call failed: DNSSEC validation failed: no-signature
Steps to reproduce the problem
Set DNSSEC to allow-downgrade and try to resolve mermaid.js.org
Additional program output to the terminal or log subsystem illustrating the issue
The text was updated successfully, but these errors were encountered: