IIUC, specific local/private domains (zones) can be excluded from DNSSEC
validation for the different tools.
So if your environment defines a private zone that is not available via
the DNS root servers, it needs to be excluded locally:
On the client side (systemd-resolved), through a negative trust-anchor:
# cat /usr/lib/dnssec-trust-anchors.d/lxd.negative
lxd
On the server (resolver) side:
- dnsmasq:
server=/lxd/LXD_GATEWAY_IP # this disables DNSSEC for the "lxd" zone, unless a
corresponding trust-anchor is specified
- bind9:
"""
options
{
[...]
validate-except
{
"lxd";
};
};
"""
** Also affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: bind9 (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119652
Title:
systemd-resolved-dnssec breaks name resolution on lxd domain
To manage notifications about this bug go to:
https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
