systemd-resolved 255.5 fails DNSSEC verification of www.youtube.com (unsigned domain), was working in 255.4

[StenSoft]

systemd version the issue has been seen with

255.5-1

Used distribution

Debian sid

Linux kernel version used

6.1.0-20-amd64

CPU architectures issue was seen on

x86_64

Component

systemd-resolved

Expected behaviour you didn't see

systemd-resolved resolves www.youtube.com:

$ resolvectl query www.youtube.com
www.youtube.com: 142.251.221.78                -- link: kainga
                 142.250.76.110                -- link: kainga
                 142.250.67.14                 -- link: kainga
                 142.250.66.238                -- link: kainga
                 172.217.167.110               -- link: kainga
                 142.250.71.78                 -- link: kainga
                 142.250.204.14                -- link: kainga
                 142.250.66.206                -- link: kainga
                 2404:6800:4006:811::200e      -- link: kainga
                 2404:6800:4006:810::200e      -- link: kainga
                 2404:6800:4006:80b::200e      -- link: kainga
                 2404:6800:4006:813::200e      -- link: kainga
                 (youtube-ui.l.google.com)

-- Information acquired via protocol DNS in 299.2ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

Version 255.4

$ resolvectl --version
systemd 255 (255.4-1+b1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

Unexpected behaviour you saw

systemd-resolved fails to resolve www.youtube.com due to DNSSEC validation failure:

$ resolvectl query www.youtube.com
www.youtube.com: resolve call failed: DNSSEC validation failed: no-signature

Version 255.5

$ resolvectl --version
systemd 255 (255.5-1)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

Steps to reproduce the problem

1. Configure network with DNSSEC=yes.
2. Update systemd from 255.4 to 255.5.
3. Query www.youtube.com.

Additional program output to the terminal or log subsystem illustrating the issue

dub 28 23:55:32 kass systemd-resolved[51169]: [LNK] DNSSEC validation failed for question l.google.com IN DS: no-signature
dub 28 23:55:32 kass systemd-resolved[51169]: [LNK] DNSSEC validation failed for question youtube-ui.l.google.com IN DS: no-signature
dub 28 23:55:32 kass systemd-resolved[51169]: [LNK] DNSSEC validation failed for question youtube-ui.l.google.com IN A: no-signature
dub 28 23:55:32 kass systemd-resolved[51169]: [LNK] DNSSEC validation failed for question youtube-ui.l.google.com IN AAAA: no-signature

[spladug]

Same issue on 255.5-2-arch. Other domains with the same issue are bevyengine.org (though it's an alias to bevyengine.github.io and that works fine) and static.licdn.com. Meanwhile, some other unsigned domains like google.com seem unaffected.

[StenSoft]

Some domains seem to be affected weirdly. After restarting systemd-resolved, if I query mobile.l.google.com then every query fails, but if I then query m.google.com (cname to mobile.l.google.com), it resolves, after which I can resolve mobile.l.google.com (from cache) as well. If I query m.google.com first then both resolve fine. l.google.com keeps failing even when mobile.l.google.com works. I can reproduce this after every restart of systemd-resolved.

[rpigott]

I can't reproduce?

$ resolvectl --version
systemd 255 (255.5-2-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

$ resolvectl dnssec enp7s0
Link 2 (enp7s0): yes

$ resolvectl query www.youtube.com static.licdn.com
www.youtube.com: 142.250.72.174                -- link: enp7s0
                 142.250.72.142                -- link: enp7s0
                 172.217.12.142                -- link: enp7s0
                 142.250.68.14                 -- link: enp7s0
                 172.217.14.110                -- link: enp7s0
                 142.250.72.238                -- link: enp7s0
                 142.250.188.238               -- link: enp7s0
                 142.250.217.142               -- link: enp7s0
                 142.250.176.14                -- link: enp7s0
                 142.250.189.14                -- link: enp7s0
                 142.251.40.46                 -- link: enp7s0
                 2607:f8b0:4007:811::200e      -- link: enp7s0
                 2607:f8b0:4007:810::200e      -- link: enp7s0
                 2607:f8b0:4007:815::200e      -- link: enp7s0
                 2607:f8b0:4007:80a::200e      -- link: enp7s0
                 (youtube-ui.l.google.com)

-- Information acquired via protocol DNS in 325.6ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
static.licdn.com: 23.56.109.200                -- link: enp7s0
                  23.56.109.202                -- link: enp7s0
                  2600:1406:4e00:16::1738:6da8 -- link: enp7s0
                  2600:1406:4e00:16::1738:6da6 -- link: enp7s0
                  (a1916.dscg2.akamai.net)

-- Information acquired via protocol DNS in 541.1ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network

bevyengine.org is #31484.

Can you provide a debug log of sd-resolved?

[konomikitten]

Can you provide a debug log of sd-resolved?

I'm running Debian Unstable and having the same issue here's my log: resolvectl-of-www-youtube-com-with-debug.txt.

[StenSoft]

Here's debug log of sd-resolved showing queries for www.youtube.com (failed), mobile.l.google.com (failed), m.google.com (cname to mobile.l.google.com, successful) and mobile.l.google.com (successful from cache): resolved.log

[rpigott]

Thanks for the logs. I didn't know #31827 was backported...

[LRitzdorf]

I'm seeing what might be the same issue, but with slightly different symptoms. On my Arch system, most (all?) queries fail with the same no-signature error that OP shows. For example:

Apr 29 10:13:50 ritzcracker systemd-resolved[1867]: [🡕] DNSSEC validation failed for question org IN DS: no-signature
Apr 29 10:13:50 ritzcracker systemd-resolved[1867]: [🡕] DNSSEC validation failed for question archlinux.org IN DS: no-signature
Apr 29 10:13:50 ritzcracker systemd-resolved[1867]: [🡕] DNSSEC validation failed for question ping.archlinux.org IN A: no-signature
Apr 29 10:13:50 ritzcracker systemd-resolved[1867]: [🡕] DNSSEC validation failed for question ping.archlinux.org IN AAAA: no-signature

While ping.archlinux.org is not authenticated, it normally does not fail to resolve entirely, since I've set DNSSEC=allow-downgrade.

Interestingly, switching my DNS resolver to 1.1.1.1 (i.e. resolvectl dns wlan0 1.1.1.1) restores full functionality, which is why I feel like this might technically be different from the original issue report here.

Configuration, for reference:

[Resolve]
FallbackDNS=1.1.1.1
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
# mDNS is handled by avahi-daemon
MulticastDNS=no
LLMNR=no

Using iwd as my network manager, in case that matters.

[sushi2503]

I tried the update to systemd 255.5-3 and Firefox 125.0.3-1 (without linux-6.8.8.arch1-1 update and without reboot), still fails with DNSSEC=allow-downgrade on Arch.

[spladug]

Works for me. Thank you!

I did reboot. Firefox 125.0.3 works as well.

$ resolvectl --version
systemd 255 (255.5-3-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

$ resolvectl query www.youtube.com
www.youtube.com: 2607:f8b0:4005:810::200e      -- link: foo
                 2607:f8b0:4005:806::200e      -- link: foo
                 2607:f8b0:4005:80e::200e      -- link: foo
                 2607:f8b0:4005:80f::200e      -- link: foo
                 142.250.72.206                -- link: foo
                 ... snip ...
                 (youtube-ui.l.google.com)

[sushi2503]

Rebooted right now and still fails for many sites with DNSSEC=allow-downgrade :

Youtube is ok but :

resolvectl query www.rts.ch
www.rts.ch: resolve call failed: DNSSEC validation failed: no-signature

resolvectl query www.swisscom.ch
www.swisscom.ch: resolve call failed: DNSSEC validation failed: no-signature

And so on...

firefox 125.0.3
systemd 255.5-3
dhcpcd 10.0.6-1
kernel 6.8.8-arch1-1