-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
systemd-resolved 255.5 fails DNSSEC verification of www.youtube.com (unsigned domain), was working in 255.4 #32531
Comments
Same issue on 255.5-2-arch. Other domains with the same issue are bevyengine.org (though it's an alias to bevyengine.github.io and that works fine) and static.licdn.com. Meanwhile, some other unsigned domains like google.com seem unaffected. |
Some domains seem to be affected weirdly. After restarting systemd-resolved, if I query mobile.l.google.com then every query fails, but if I then query m.google.com (cname to mobile.l.google.com), it resolves, after which I can resolve mobile.l.google.com (from cache) as well. If I query m.google.com first then both resolve fine. l.google.com keeps failing even when mobile.l.google.com works. I can reproduce this after every restart of systemd-resolved. |
I can't reproduce?
bevyengine.org is #31484. Can you provide a debug log of sd-resolved? |
I'm running Debian Unstable and having the same issue here's my log: resolvectl-of-www-youtube-com-with-debug.txt. |
Here's debug log of sd-resolved showing queries for www.youtube.com (failed), mobile.l.google.com (failed), m.google.com (cname to mobile.l.google.com, successful) and mobile.l.google.com (successful from cache): resolved.log |
Thanks for the logs. I didn't know #31827 was backported... |
I'm seeing what might be the same issue, but with slightly different symptoms. On my Arch system, most (all?) queries fail with the same
While Interestingly, switching my DNS resolver to 1.1.1.1 (i.e. Configuration, for reference:
Using iwd as my network manager, in case that matters. |
Bug: systemd/systemd#32531 Signed-off-by: Sam James <sam@gentoo.org>
I tried the update to systemd 255.5-3 and Firefox 125.0.3-1 (without linux-6.8.8.arch1-1 update and without reboot), still fails with DNSSEC=allow-downgrade on Arch. |
Works for me. Thank you! I did reboot. Firefox 125.0.3 works as well.
|
Rebooted right now and still fails for many sites with DNSSEC=allow-downgrade : Youtube is ok but : resolvectl query www.rts.ch resolvectl query www.swisscom.ch And so on... firefox 125.0.3 |
systemd version the issue has been seen with
255.5-1
Used distribution
Debian sid
Linux kernel version used
6.1.0-20-amd64
CPU architectures issue was seen on
x86_64
Component
systemd-resolved
Expected behaviour you didn't see
systemd-resolved resolves www.youtube.com:
Version 255.4
Unexpected behaviour you saw
systemd-resolved fails to resolve www.youtube.com due to DNSSEC validation failure:
Version 255.5
Steps to reproduce the problem
DNSSEC=yes
.Additional program output to the terminal or log subsystem illustrating the issue
The text was updated successfully, but these errors were encountered: