systemd-resolved: DNSSEC validation failed: incompatible-server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Hi,
I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4.
2 days ago, I enabled DNSSEC=true through:
# grep DNSSEC /etc/systemd/
DNSSEC=yes
After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam.
Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution...
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd-
Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution.
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 09 15:40:20 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Jul 10 03:16:18 htdocs systemd-
Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here.
Running a manual query also fails here, for example:
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
Running 'resolvectl reset-server-
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server
# resolvectl reset-server-
# resolvectl query noc3.wordfence.com
noc3.wordfence.com: 35.155.126.231 -- link: eth0
-- Information acquired via protocol DNS in 26.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
By reading issues upstream looks like https:/
A fix is implemented (https:/
But there is another fix around this issue (https:/
I would like to know if it's possible to backport this fix into Ubuntu 22.04.
Thanks.
description: | updated |
tags: | added: rls-jj-incoming |
Changed in systemd (Ubuntu Jammy): | |
status: | New → Incomplete |
The fix is already included in systemd >= v250 (i.e. Kinetic+)