systemd-resolved is broken in many ways. I doubt it can forward correctly TSIG or SIG(0). If you have a proper DNS server running on your machine, there is not many reasons to run also systemd-resolved. If you need it, I suggest to write fixed /etc/resolv.conf pointing to 127.0.0.1 or ::1. Consider chattr +i /etc/resolv.conf afterwards. Do not use stub resolver provided by systemd if you have better caching server running on the same machine. I would even recommend to uninstall it on Fedora, where it is possible. Unless you use mdns on selected networks only, I don't think systemd-resolved provides you any benefit.
systemd-resolved strips in default configuration even DNSSEC signatures. I would doubt it can handle key signatures or even updates. On 4/18/22 07:26, Leroy Tennison via bind-users wrote: > When I attempt “dig -t AXFR office.example.com -k > Kexample_dns.+157+18424.key” on the DNS server (Bind 9.11) sudoed to > root I get: > > ;; Couldn't verify signature: expected a TSIG or SIG(0) > ; Transfer failed. > > This is an Ubuntu 18.04 system and /etc/systemd/resolved.conf has > DNS=127.0.0.1 since the DNS server is running on it. Systemd-resolved > has been restarted afterward. I've tried using an actual interface > address but it doesn't help. It seems dig tries to use 127.0.0.53 due > to its being in /etc/resolv.conf and that fails even though dig for > forward/reverse lookups works. > > If I add @127.0.0.1 to the above it works. Is there a way to get this > to work without having to do that and not setting up the entire > network configuration using systemd. I realize it's not a big effort > to add @127.0.0.1 but the reason for the issue is obscure, the error > message is misleading and my distaste for systemd is sufficient enough > that I would prefer avoiding it as much as possible. Thanks for any > input. > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users