I just upgraded to Ubuntu 17.04 (systemd 232) where systemd-resolved is turned on by default, which means DNSSEC validation on by default.
My home network has DNS provided by dnsmasq, and for historical reasons I set the domain name on all hosts there to 'dague.pvt'. I tried adding both 'dague.pvt' and 'pvt' to /etc/dnssec-trust-anchors.d/dague.pvt.negative (as well as copying in the list of all the negative trust anchors that exist by default, home, local, the reverse lookup ones). Looking up os3.dague.pvt always returns a SERVEFAIL, it does not seem to be respecting the negative trust anchor, even though the logs seem to be picking it up: Apr 19 07:06:10 ribos.dague.pvt systemd-resolved[16286]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private pvt dague.pvt test Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: Switching to DNS server 10.42.0.3 for interface enp0s25. Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC validation failed for question os3.dague.pvt IN DS: no-signature Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC validation failed for question os3.dague.pvt IN SOA: no-signature Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC validation failed for question os3.dague.pvt IN A: no-signature It did occur to me that there are no non TLD examples in the excluded list except the reverse lookup domains (which I assume are treated specially). Is there something I'm missing with configuration here? Or are non TLD domains not supported for negative trust anchors? And if so, is that a bug or intentional? My current work around is to just turn off DNSSEC, which I'd really like to avoid doing if I could. Thanks in advance, -Sean -- Sean Dague http://dague.net _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel