Public bug reported: Hi,
I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4. 2 days ago, I enabled DNSSEC=true through: # grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf DNSSEC=yes After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam. Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution... Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors: Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'. Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution. Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here. Running a manual query also fails here, for example: # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server Running 'resolvectl reset-server-features' helps here and can be considered as workaround. # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server # resolvectl reset-server-features # resolvectl query noc3.wordfence.com noc3.wordfence.com: 35.155.126.231 -- link: eth0 -- Information acquired via protocol DNS in 26.5ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490. A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04. But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250. I would like to know if it's possible to backport this fix into Ubuntu 22.04. Thanks. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Tags: systemd-resolved ** Description changed: Hi, I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4. 2 days ago, I enabled DNSSEC=true through: # grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf DNSSEC=yes After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam. Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution... Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors: Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'. Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution. Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here. Running a manual query also fails here, for example: # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server Running 'resolvectl reset-server-features' helps here and can be considered as workaround. - # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server # resolvectl reset-server-features # resolvectl query noc3.wordfence.com noc3.wordfence.com: 35.155.126.231 -- link: eth0 -- Information acquired via protocol DNS in 26.5ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network - - By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490. + By reading issues upstream looks like + https://github.com/systemd/systemd/issues/6490. A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04. But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250. I would like to know if it's possible to backport this fix into Ubuntu 22.04. Thanks. - - - https://github.com/systemd/systemd/pull/20214 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1981431 Title: systemd-resolved: DNSSEC validation failed: incompatible-server Status in systemd package in Ubuntu: New Bug description: Hi, I'm running Ubuntu 22.04 using systemd 249.11-0ubuntu3.4. 2 days ago, I enabled DNSSEC=true through: # grep DNSSEC /etc/systemd/resolved.conf.d/dnssec.conf DNSSEC=yes After running some hours, systemd-resolved stop working. Log lines like incompatible-server starts to spam. Jul 09 13:51:41 htdocs systemd[1]: Starting Network Name Resolution... Jul 09 13:51:41 htdocs systemd-resolved[77507]: Positive Trust Anchors: Jul 09 13:51:41 htdocs systemd-resolved[77507]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d Jul 09 13:51:41 htdocs systemd-resolved[77507]: Negative trust anchors: int.creativesandbox.de Jul 09 13:51:41 htdocs systemd-resolved[77507]: Using system hostname 'htdocs'. Jul 09 13:51:41 htdocs systemd[1]: Started Network Name Resolution. Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 214.162.in-addr.arpa IN SOA: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN DS: no-signature Jul 09 15:40:20 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 126.76.214.162.in-addr.arpa IN SOA: no-signature Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question . IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question your-server.de IN SOA: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question 201.138.clients.your-server.de IN DS: incompatible-server Jul 10 03:16:18 htdocs systemd-resolved[77507]: DNSSEC validation failed for question static.237.11.201.138.clients.your-server.de IN AAAA: incompatible-server Mention here, I'm running multiple machines with the same config against the same upstream DNS server. From time to time, only one instance is stop working here. Running a manual query also fails here, for example: # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server Running 'resolvectl reset-server-features' helps here and can be considered as workaround. # resolvectl query noc3.wordfence.com noc3.wordfence.com: resolve call failed: DNSSEC validation failed: incompatible-server # resolvectl reset-server-features # resolvectl query noc3.wordfence.com noc3.wordfence.com: 35.155.126.231 -- link: eth0 -- Information acquired via protocol DNS in 26.5ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network By reading issues upstream looks like https://github.com/systemd/systemd/issues/6490. A fix is implemented (https://github.com/systemd/systemd/pull/18624) and released in 248 which is included in Ubuntu 22.04. But there is another fix around this issue (https://github.com/systemd/systemd/pull/20214) which is released in systemd 250. I would like to know if it's possible to backport this fix into Ubuntu 22.04. Thanks. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1981431/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
