Folks, This appears to be "systemd-resolved in default config talking to Google Domains with DNSSEC asking for a non-existent SRV record", and my thoughts of "if it were this broken, people would be screaming louder already, so I must be missing something", so I'm going to walk step by step through the chain.
On my production systems, I use unbound not systemd-resolved; unbound-anchor on Linux is too buggy to use so I'm stuck with systemd-resolved on my laptop. Normally I keep /etc/systemd/resolved.conf saying "DNSSEC=yes" but if I've been travelling outside my home, I revert it back to its _default_ of "DNSSEC=allow-downgrade". (Thank you, cellular networks and 464XLAT breaking DNSSEC). With GnuPG trying to talk to keys.openpgp.org I was getting generic error messages from GnuPG; turning dirmngr logs way up, I could get: DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a failure With systemd-resolved on its default of allow-downgrade, that matches this in the resolver logs journal: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS: no-signature DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA: no-signature DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN DS: no-signature DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SOA: no-signature DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SRV: no-signature DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN TXT: no-signature An analysis of <https://dnsviz.net/d/_pgpkey-http._tcp.keys.openpgp.org/dnssec/> (with advanced settings used to ask for SRV) shows no DNSSEC complaints. Upstream from the systemd-resolved process are two current Unbound servers (1.10.1) and third in the list is also a Knot resolver (5.1.1). The DNS authoritative servers for openpgp.org are delegating `keys.openpgp.org` to `ns-cloud-a1.googledomains.com.` and friends (a1 thru a4). I'm not seeing any misbehavior from the authoritative servers at any level, but I'm not seeing why the look for something legitimately returning NXDOMAIN would need to trigger whatever's going on here and I'm not following the logic at <https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md>. Can someone please explain what I'm missing, or confirm that this really is a bug and it's just that DNSSEC+SRV+systemd-resolved is still fairly rare for most? Thanks, -Phil _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
