[Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

Lukas Märdian Thu, 28 Aug 2025 07:36:11 -0700

FTR: here is a sd-resolved debug log of:

$ resolvectl log-level debug
$ resolvectl flush-caches
$ resolvectl query nn-abi.lxd # this is another LXD container, running on my 
host.


=> as we can see, it does not get a DS record (as expected, as the .lxd domain 
has no chain of trust):
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Found verdict for lookup lxd 
IN DS: bogus
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed 
for question lxd IN DS: no-signature


"""
Aug 28 14:23:54 tender-fowl systemd-resolved[123]: Flushed all caches.
Aug 28 14:23:54 tender-fowl systemd-resolved[123]: Sent message 
type=method_return sender=n/a destination=:1.17 path=n/a interface=n/a 
member=n/a cookie=24 reply_cookie=2 signature=n/a error-name=n/a 
error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message type=method_call 
sender=:1.18 destination=org.freedesktop.resolve1 
path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager 
member=ResolveHostname  cookie=2 reply_cookie=0 signature=isit error-name=n/a 
error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: idn2_lookup_u8: nn-abi.lxd → 
nn-abi.lxd
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message 
type=method_call sender=n/a destination=org.freedesktop.DBus 
path=/org/freedesktop/DBus interface=org.freedesktop.DBus 
member=GetConnectionCredentials cookie=25 reply_cookie=0 signature=s 
error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message 
type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a 
interface=n/a member=n/a  cookie=15 reply_cookie=25 signature=a{sv} 
error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: D-Bus hostname resolution 
request from client PID 633 (resolvectl) with UID 0
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Looking up RR for nn-abi.lxd 
IN A.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Looking up RR for nn-abi.lxd 
IN AAAA.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message 
type=method_call sender=n/a destination=org.freedesktop.DBus 
path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch 
cookie=26 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message 
type=method_call sender=n/a destination=org.freedesktop.DBus 
path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner 
cookie=27 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message 
type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a 
interface=n/a member=n/a  cookie=17 reply_cookie=27 signature=s error-name=n/a 
error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN 
A
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 
64076 for <nn-abi.lxd IN A> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level 
UDP+EDNS0+DO for transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 
for transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 
in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 
1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 
64076 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN 
AAAA
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 
38417 for <nn-abi.lxd IN AAAA> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level 
UDP+EDNS0+DO for transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 
for transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 
in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 
1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 
38417 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of 
size 55, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, 
destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet 
of size 55 on transaction 64076 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS to validate 
transaction 64076 (nn-abi.lxd, unsigned non-SOA/NS RRset <nn-abi.lxd IN A 
10.238.94.180>).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for nn-abi.lxd IN 
DS
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 
48002 for <nn-abi.lxd IN DS> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level 
UDP+EDNS0+DO for transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 
for transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 
in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 
1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 
48002 of size 62.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of 
size 67, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, 
destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet 
of size 67 on transaction 38417 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS to validate 
transaction 38417 (nn-abi.lxd, unsigned non-SOA/NS RRset <nn-abi.lxd IN AAAA 
fd42:7213:f20e:bd74:216:3eff:fe81:cd61>).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of 
size 39, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, 
destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet 
of size 39 on transaction 48002 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS (→ lxd) to 
validate transaction 48002 (nn-abi.lxd empty response).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Cache miss for lxd IN DS
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Firing regular transaction 
32387 for <lxd IN DS> scope dns on eth0/* (validate=yes).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using feature level 
UDP+EDNS0+DO for transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Using DNS server 10.238.94.1 
for transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Announcing packet size 1472 
in egress EDNS(0) packet.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Emitting UDP, link MTU is 
1500, socket MTU is 0, minimal MTU is 40
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sending query packet with id 
32387 of size 55.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Received dns UDP packet of 
size 32, ifindex=38, ttl=0, fragsize=0, sender=10.238.94.1, 
destination=10.238.94.184
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Processing incoming packet 
of size 32 on transaction 32387 (rcode=SUCCESS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Requesting DS (→ ) to 
validate transaction 32387 (lxd empty response).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Validating response from 
transaction 32387 (lxd IN DS).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Found verdict for lookup lxd 
IN DS: bogus
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed 
for question lxd IN DS: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 32387 
for <lxd IN DS> on scope dns on eth0/* now complete with <dnssec-failed> from 
network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query 
failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed 
for question nn-abi.lxd IN DS: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 48002 
for <nn-abi.lxd IN DS> on scope dns on eth0/* now complete with <dnssec-failed> 
from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query 
failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed 
for question nn-abi.lxd IN A: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 64076 
for <nn-abi.lxd IN A> on scope dns on eth0/* now complete with <dnssec-failed> 
from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Auxiliary DNSSEC RR query 
failed validation: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: [🡕] DNSSEC validation failed 
for question nn-abi.lxd IN AAAA: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Regular transaction 38417 
for <nn-abi.lxd IN AAAA> on scope dns on eth0/* now complete with 
<dnssec-failed> from network (unsigned; non-confidential).
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 64076.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message type=error 
sender=n/a destination=:1.18 path=n/a interface=n/a member=n/a cookie=28 
reply_cookie=2 signature=s error-name=org.freedesktop.resolve1.DnssecFailed 
error-message=DNSSEC validation failed: no-signature
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Sent message 
type=method_call sender=n/a destination=org.freedesktop.DBus 
path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch 
cookie=29 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 38417.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 48002.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Freeing transaction 32387.
Aug 28 14:23:58 tender-fowl systemd-resolved[123]: Got message 
type=method_return sender=org.freedesktop.DBus destination=:1.0 path=n/a 
interface=n/a member=n/a  cookie=16 reply_cookie=26 signature=n/a 
error-name=n/a error-message=n/a
"""

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2119652

Title:
  systemd-resolved-dnssec breaks name resolution on lxd domain

To manage notifications about this bug go to:
https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

Reply via email to