Closed
Description
Submission type
- Bug report
- Request for enhancement (RFE)
systemd version the issue has been seen with
231-9git1? (the one that ships with ubuntu 16.10)
Used distribution
Ubuntu
In case of bug report: Expected behaviour you didn't see
When sending the DO bit in queries to 127.0.0.53, the returned data did not include DNSSEC data (i.e. the RRSIGs).
When asking for non-existent records, the DNSSEC proof of non-existance is missing.
In case of bug report: Unexpected behaviour you saw
When asking for non-existent records, the AD bit is also not set, as if systemd-resolved did not validate the non-existance of the requested record.
In case of bug report: Steps to reproduce the problem
> $ dig @127.0.0.53 nlnetlabs.nl +dnssec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.53 nlnetlabs.nl +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54947
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;nlnetlabs.nl. IN A
;; ANSWER SECTION:
nlnetlabs.nl. 5332 IN A 185.49.140.10
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Nov 08 15:29:19 CET 2016
;; MSG SIZE rcvd: 57
$ dig @127.0.0.53 nonexistant.nlnetlabs.nl +dnssec
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.53 nonexistant.nlnetlabs.nl +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3445
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;nonexistant.nlnetlabs.nl. IN A
;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Nov 08 15:29:43 CET 2016
;; MSG SIZE rcvd: 53