Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work
Fanis Dokianakis
infl00p at gmail.com
Sat Apr 4 08:41:31 BST 2020
I confirm that this bug exists after upgrading systemd. Systemd-resolved
*sometimes* does not downgrade and SERVERFAILS on all domains that do not
have a signature dns record.
The error with resolvectl query is
$ resolvectl query example.domain
example.domain: resolve call failed: DNSSEC validation failed: no-signature
$ resolvectl reset-server-features
or
$ resolvectl flush-caches
This is a problem that can only be corrected by passing dnssec=no to all
interfaces (even ones with no dns server) or global in the configuration
and restart the systemd-resolved
Happens with both:
systemd 245 (245.2-1)
systemd 245 (245.4-1)
My DNS resolver is a unmodified openwrt (dnsmasq) router which forwards to
1.1.1.1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20200404/0b55c01d/attachment.html>
More information about the Pkg-systemd-maintainers
mailing list