Bug#954490: systemd: resolved.conf "allow-downgrade" doesn't work

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Wed Apr 15 20:06:41 BST 2020

On Sat, Apr 04, 2020 at 10:41:31AM +0300, Fanis Dokianakis wrote:
> I confirm that this bug exists after upgrading systemd. Systemd-resolved
> *sometimes* does not downgrade and SERVERFAILS on all domains that do not
> have a signature dns record.

That's not what "allow-downgrade" means. The downgrade happens when the
configured DNS server does not support DNSSEC, not when some domain has
an invalid signature.

> The error with resolvectl query is
> $ resolvectl query example.domain
> example.domain: resolve call failed: DNSSEC validation failed: no-signature

Please give an actual domain name that fails resolution. Not providing
a reproducer just makes this harder for anyone trying to resolve this.


More information about the Pkg-systemd-maintainers mailing list