On Mon, Jul 13, 2020 at 03:28:46PM -0400, Phil Pennock wrote:
> With GnuPG trying to talk to keys.openpgp.org I was getting generic
> error messages from GnuPG; turning dirmngr logs way up, I could get:
>
> DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a
> failure
>
> With systemd-resolved on its default of allow-downgrade, that matches
> this in the resolver logs journal:
>
> Server returned error NXDOMAIN, mitigating potential DNS violation
> DVE-2018-0001, retrying transaction with reduced feature level UDP.
> DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS:
> no-signature
> DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA:
> no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN
> DS: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN
> SOA: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN
> SRV: no-signature
> DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN
> TXT: no-signature
>
> An analysis of
> <https://dnsviz.net/d/_pgpkey-http._tcp.keys.openpgp.org/dnssec/>
> (with advanced settings used to ask for SRV) shows no DNSSEC complaints.
It also shows that qname definitively does not exist, with appriate
signatures and NSEC records, ... But systemd-resolved, in its infinite
wisdom then decides to second-guess that, and retry with DO=0, and then
complains that the answer is unsigned???
At first blush, looks like severe systemd-resolved brain-damage to me.
https://dilbert.com/strip/1995-06-24
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
