On 2019-01-12 9:36 a.m., Marc Deslauriers wrote: > On 2019-01-11 11:01 p.m., J Doe wrote: >> Hello, >> >> I currently run a server using Ubuntu 18.04.1 LTS with patches current to >> today (Jan 11, 2019). I configured systemd-resolved to use DNSSEC >> validation by editing: /etc/systemd/resolved.conf and setting: DNSSEC=yes. >> >> When I check my syslog, I note that systemd-resolved is logging that the >> positive trust anchor for the root has been revoked: >> >> Jan 11 17:59:48 server systemd-resolved[728]: DNSSEC Trust anchor . IN DS >> 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 >> has been revoked. Please update the trust anchor, or upgrade your operating >> system. >> >> I checked: man dnssec-trust-anchors.d and read: >> >> "Note that systemd-resolved will automatically use a built-in trust anchor >> key for the Internet root domain if no positive trust anchors are defined >> for the root domain.” >> >> I verified that: /etc/dnssec-trust-anchors.d/*.positive, >> /run/dnssec-trust-anchors.d/*.positive, >> /usr/lib/dnssec-trust-anchors.d/*.positive do *NOT* exist, which means that >> only the compiled in root trust anchor key is being used and that >> systemd-resolved has found that it has been revoked. >> >> Does this require a new root trust anchor to be compiled in and then shipped >> in a systemd update or should I manually acquire the root trust anchor and >> place it in one of the directories mentioned in: man dnssec-trust-anchors.d ? >> >> For the meantime, I have disabled DNSSEC validation in: >> /etc/systemd/resolved.conf >> >> Thanks, >> >> - J >> > > It looks like resolved in 18.04 does in fact contain both the old and new > trusty > anchors hardcoded in resolved-dns-trusty-anchor.c. A quick look at the file > suggests the expired one then gets removed from the list and the warning is > issued. > > Do you only get the warning once? > > Marc. >
Wow, I managed to typo "trust" as "trusty" twice. Stupid muscle memory ;) Marc. -- ubuntu-server mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
