Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work

Fanis Dokianakis infl00p at gmail.com
Sat Apr 4 08:41:31 BST 2020

I confirm that this bug exists after upgrading systemd. Systemd-resolved
*sometimes* does not downgrade and SERVERFAILS on all domains that do not
have a signature dns record.

The error with resolvectl query is
$ resolvectl query example.domain
example.domain: resolve call failed: DNSSEC validation failed: no-signature

$ resolvectl reset-server-features
$ resolvectl flush-caches
This is a problem that can only be corrected by passing dnssec=no to all
interfaces (even ones with no dns server) or global in the configuration
and restart the systemd-resolved

Happens with both:
systemd 245 (245.2-1)
systemd 245 (245.4-1)

My DNS resolver is a unmodified openwrt (dnsmasq) router which forwards to
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20200404/0b55c01d/attachment.html>

More information about the Pkg-systemd-maintainers mailing list