I can confirm this problem also on Ubuntu Jammy, systemd-resolved from systemd 249.11-0ubuntu3.12.
I had mails queued to cluster5.eu.messagelabs.com:25 in my queues for hours. Local stub-resolver failed with SERVFAIL: prod-mail-01:~$ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: SERVFAIL An internal unbound resolver or Google DNS worked: delv @10.1.1.4 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: ncache nxrrset ; negative response, fully validated ; _25._tcp.cluster5.us.messagelabs.com. 900 IN \-TLSA ;-$NXRRSET ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ... ; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP AAAA SRV NAPTR DNAME SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ; messagelabs.com. RRSIG SOA ... Mails queued with error: May 30 09:22:17 vm-ewkf-prod-mail-01 postfix/smtp[3087917]: 7DE0041E79: to=<u...@domain.de>, relay=none, delay=63515, delays=63515/0.03/0.08/0, dsn=4.7.5, status=deferred (TLSA lookup error for cluster5.eu.messagelabs.com:25) May 30 10:07:17 vm-ewkf-prod-mail-01 postfix/smtp[3089367]: 8EE4C41DC6: to=<anotheru...@domain.de>, relay=none, delay=67515, delays=67515/0.03/0.09/0, dsn=4.7.5, status=deferred (TLSA lookup error for cluster5.eu.messagelabs.com:25) May 30 10:12:18 vm-ewkf-prod-mail-01 postfix/smtp[3089603]: 4E46041E69: to=<anotheru...@domain.de>, relay=none, delay=67632, delays=67632/0.04/0.09/0, dsn=4.7.5, status=deferred (TLSA lookup error for cluster5.eu.messagelabs.com:25) After disabling stub-resolver everything went out: May 30 11:11:42 prod-mail-01 postfix/smtp[3092649]: 7DE0041E79: to=<u...@domain.de>, relay=cluster5.eu.messagelabs.com[195.245.231.72]:25, delay=70080, delays=70079/0.56/0.23/0.31, dsn=2.0.0, status=sent (250 ok 1717060302 qp 31363 server-5.tower-565.messagelabs.com!1717060301!18002!1) May 30 11:11:42 prod-mail-01 postfix/qmgr[3092578]: 7DE0041E79: removed May 30 11:11:42 prod-mail-01 postfix/smtp[3092651]: 4E46041E69: to=<anotheru...@domain.de>, relay=cluster5.eu.messagelabs.com[85.158.142.214]:25, delay=71196, delays=71195/0.58/0.31/0.45, dsn=2.0.0, status=sent (250 ok 1717060302 qp 12390 server-3.tower-732.messagelabs.com!1717060301!14409!1) May 30 11:11:42 prod-mail-01 postfix/smtp[3092650]: 318D441E07: to=<anotheru...@domain.de>, relay=cluster5.eu.messagelabs.com[85.158.142.210]:25, delay=70351, delays=70350/0.57/0.33/0.44, dsn=2.0.0, status=sent (250 ok 1717060302 qp 7378 server-5.tower-728.messagelabs.com!1717060301!22678!1) May 30 11:11:42 prod-mail-01 postfix/qmgr[3092578]: 4E46041E69: removed May 30 11:11:42 prod-mail-01 postfix/qmgr[3092578]: 318D441E07: removed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062542 Title: systemd-resolved stub gives SERVFAIL for DNSSEC negative response To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2062542/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
