> The "allow-downgrade" mechanism should detect such instances and accept them without DNSSEC validation.
I don't think that's the intent of DNSSEC=allow-downgrade. IIUC, dnsmasq, regardless of the presence of --dnssec, understands how to respond to DNSSEC queries. When systemd-resolved asks for DNSSEC validation of foo.lxd, dnsmasq says "I can't validate that" by sending an empty response for the validation. In particular, because the response from dnsmasq contains the DO flag, and an empty RRSIG, systemd-resolved concludes "this server understands DNSSEC, and the record is unsigned, therefore validation failed". At least, that's my basic understanding of the systemd-resolved logic [1]. If, on the other hand, dnsmasq responded with some garbage that indicated it doesn't even _understand_ DNSSEC, systemd-resolved would invoke the allow-downgrade fallback, and accept the response without validation. [1] https://github.com/systemd/systemd/blob/v257.8/src/resolve/resolved- dns-server.c#L699 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119652 Title: systemd-resolved-dnssec breaks name resolution on lxd domain To manage notifications about this bug go to: https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
