Public bug reported: The bug itself:
OS: Ubuntu 25.10 development release (both the latest Lubuntu daily image and a "manually built" installation I use for building packages are affected) Hardware: KVM virtual machine in virt-manager Steps to reproduce: * Boot the VM * Ensure systemd-resolved is running: `systemctl status systemd-resolved` * Try to ping Google: `ping google.com` Expected result: Packages can be sent and received Actual result: Ping errors out with "temporary failure in name resolution" Looking at `sudo journalctl -fu systemd-resolved.service`, DNSSEC "no- signature" errors are seen trying to resolve basically everything. Uninstalling the package `systemd-resolved-dnssec` and restarting systemd-resolved resolves the issue. ----- What to do about the bug: Technically, everything is working as intended here. DNSSEC was enabled in "allow-downgrade" mode by default by https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2117730, with the understanding that this *would* break DNS resolution for some users, and that those users would have to remove `systemd-resolved-dnssec` and restart `systemd-resolved` to get their network to work. However, because systemd-resolved-dnssec has been made a "Recommends" of systemd-resolved and not a "Suggests", it is being installed by default on built ISOs, which is highly problematic for probably all of the flavors and perhaps even Ubuntu Desktop itself. This means that, using the latest Lubuntu daily image, I have no Internet at all, and the only reason I was able to figure out why was because I have some network troubleshooting experience (which many users won't have). The user is given *zero* indication that there could be network issues due to DNSSEC, or how to resolve those issues, or anything. The user is just left with broken Internet, they don't know why, and depending on what devices they have available to them they might not even be able to figure out how to disable DNSSEC because they don't have Internet to look it up. I would suggest that systemd-resolved-dnssec be demoted to a "Suggests" of systemd-resolved. This way flavors that are interested in enabling it by default and are ready to help the user overcome networking hurdles they may encounter can explicitly seed it, while flavors that don't want to trouble their users with that can simply leave it off their images. Alternatively, some way of blacklisting packages from ISOs that actually works could be used to avoid the need for a demotion, but as many of us know, germinate's blacklisting functionality can't be used for this (it does not do what most of us probably would guess it does). I'm definitely open to other options here (it would be awesome if systemd-resolved could fall back to some trusted DNS server like one of the root servers if the "local" DNS server provided by an access point didn't work), but I really do not want to have to just release note this and hope users see it. We could introduce a "Turn of DNSSEC" or similar button in Lubuntu's application menu if all else failed, but that would be a very, very hacky solution. ** Affects: systemd (Ubuntu) Importance: Critical Status: New ** Changed in: systemd (Ubuntu) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121483 Title: DNS completely broken on Ubuntu Questing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2121483/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
