> On 2019-01-12 9:36 a.m., Marc Deslauriers wrote:
>> On 2019-01-11 11:01 p.m., J Doe wrote:
>>> Hello,
>>>
>>> I currently run a server using Ubuntu 18.04.1 LTS with patches current to
>>> today (Jan 11, 2019). I configured systemd-resolved to use DNSSEC
>>> validation by editing: /etc/systemd/resolved.conf and setting: DNSSEC=yes.
>>>
>>> When I check my syslog, I note that systemd-resolved is logging that the
>>> positive trust anchor for the root has been revoked:
>>>
>>> Jan 11 17:59:48 server systemd-resolved[728]: DNSSEC Trust anchor . IN DS
>>> 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
>>> has been revoked. Please update the trust anchor, or upgrade your operating
>>> system.
>>>
>>> I checked: man dnssec-trust-anchors.d and read:
>>>
>>> "Note that systemd-resolved will automatically use a built-in trust anchor
>>> key for the Internet root domain if no positive trust anchors are defined
>>> for the root domain.”
>>>
>>> I verified that: /etc/dnssec-trust-anchors.d/*.positive,
>>> /run/dnssec-trust-anchors.d/*.positive,
>>> /usr/lib/dnssec-trust-anchors.d/*.positive do *NOT* exist, which means that
>>> only the compiled in root trust anchor key is being used and that
>>> systemd-resolved has found that it has been revoked.
>>>
>>> Does this require a new root trust anchor to be compiled in and then
>>> shipped in a systemd update or should I manually acquire the root trust
>>> anchor and place it in one of the directories mentioned in: man
>>> dnssec-trust-anchors.d ?
>>>
>>> For the meantime, I have disabled DNSSEC validation in:
>>> /etc/systemd/resolved.conf
>>>
>>> Thanks,
>>>
>>> - J
>>>
>>
>> It looks like resolved in 18.04 does in fact contain both the old and new
>> trusty
>> anchors hardcoded in resolved-dns-trusty-anchor.c. A quick look at the file
>> suggests the expired one then gets removed from the list and the warning is
>> issued.
>>
>> Do you only get the warning once?
>>
>> Marc.
>>
>
> Wow, I managed to typo "trust" as "trusty" twice. Stupid muscle memory ;)
>
> Marc.
Hi Marc,
Ha ha, that’s ok - I understood what you meant re: trust/trusty!
Yes, I receive the warning for the one expired trust anchor. To test this I:
* Enabled DNSSEC validation in: /etc/systemd/resolved.conf
* Restarted systemd-resolved
* Verified that DNSSEC validation was available via: sudo systemd-resolve
--status
* Exercised the DNSSEC validation functionality with a DNSSEC enabled site:
systemd-resolve www.ietf.org
Upon the last step, this triggers the single warning message in syslog about
the one outdated root trust anchor but as the result of that step I can see
that the data was authenticated.
Originally, I thought after I ran that last step that DNSSEC validation
*failed* but I was incorrect.
- J
--
ubuntu-server mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
