> systemd-resolved seems to correctly detect that the upstream dnsmasq server is not supporting DNSSEC...
What makes you say it's "correct" in this case? Are you testing with a dnsmasq server that doesn't know about DNSSEC? As we have already discussed, "unsigned records" != "lacks DNSSEC support". If you are able to trigger the downgrade reliably, please capture the debug-level logs from a a single query in systemd-resolved. For example, $ resolvectl log-level debug $ resolvectl query <name>.lxd $ journalctl -u systemd-resolved --since "5s ago" or something. > It seems like this might still not be as reliable as we'd want it to be, and I'm pondering if we should downgrade that "Recommends: systemd- resolved-dnssec" to a "Suggests" after all... If we go this route, let's please just revert the change all together. I don't think carrying the extra binary package is worth it for a "Suggests:". -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2119652 Title: systemd-resolved-dnssec breaks name resolution on lxd domain To manage notifications about this bug go to: https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
