systemd-resolved: "DNSSEC=allow-downgrade" still fails

[jonathan-gruber-jg]

systemd version the issue has been seen with

255.5-3

Used distribution

Arch Linux

Linux kernel version used

6.8.8-arch1-1

CPU architectures issue was seen on

x86_64

Component

systemd-resolved

Expected behaviour you didn't see

This bug report is a repeat of issue #32561, issue #32531, and (I think) also issue #32546. As I understand it, commit d840783 (the associated pull request is #32552) was intended to fix the bug identified by those issues. Arch Linux has backported that fix into its package for systemd 255.5, which, on Arch Linux, is identified by the version 255.5-3. Naturally, I expected the bug to have been fixed.

Unexpected behaviour you saw

Despite commit d840783 / pull request #32552, the bug persists.

Steps to reproduce the problem

I do not know much about networking, so I apologize if I use widely incorrect terminology here or if these steps are wrong.

1. Configure systemd-resolved with "DNSSEC=allow-downgrade" set in the "[Resolve]" section.
2. Connect to a network with a DNS server that does not support DNSSEC.

In case it matters, I use NetworkManager with wpa_supplicant for my WiFi.

Additional program output to the terminal or log subsystem illustrating the issue

I have attached my logs for systemd-resolved in different formats for your convenience. Do notify me if you would like me to provide any additional log files or information.
json-pretty.log
short-full.log
verbose.log

[jonathan-gruber-jg]

I have edited the issue above since I have since upgraded my kernel to a new version and installed systemd 255.5-3 from Arch Linux's official repositories. The bug still persists.

[rpigott]

Could you share a sd-resolved debug log?

[jonathan-gruber-jg]

How do I do that? What exactly is an sd-resolved debug log? Is it in any way different from the log messages of systemd-resolved that one finds in journalctl?

[bluca]

sudo systemctl service-log-level systemd-resolved.service debug and then try again the operations that fail and get the logs again

[LRitzdorf]

I seem to be encountering the same issue, at least on my home network (with an ISP-provided router). My workaround thus far has been to switch to Cloudflare's DNS, via resolvectl dns wlan0 1.1.1.1 1.0.0.1. I'm also on Arch, running systemd 255.5-3.
I've captured a debug log for a query to go.dnscheck.tools (timestamp and hostname are trimmed off):

Debug log

systemd-resolved[1318]: Sent message type=method_return sender=n/a destination=:1.71 path=n/a interface=n/a member=n/a cookie=118 reply_cookie=3 signature=n/a error-name=n/a error-message=n/a
systemd-resolved[1318]: Got message type=method_call sender=:1.72 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname  cookie=2 reply_cookie=0 signature=isit error-name=n/a error-message=n/a
systemd-resolved[1318]: idn2_lookup_u8: go.dnscheck.tools → go.dnscheck.tools
systemd-resolved[1318]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID cookie=119 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a  cookie=4294967295 reply_cookie=119 signature=u error-name=n/a error-message=n/a
systemd-resolved[1318]: D-Bus hostname resolution request from client PID 4296 (resolvectl) with UID 1000
systemd-resolved[1318]: Looking up RR for go.dnscheck.tools IN A.
systemd-resolved[1318]: Looking up RR for go.dnscheck.tools IN AAAA.
systemd-resolved[1318]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=120 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=121 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a  cookie=4294967295 reply_cookie=121 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: wlan0: Switching to DNS server 192.168.1.1.
systemd-resolved[1318]: Cache miss for go.dnscheck.tools IN A
systemd-resolved[1318]: Firing regular transaction 51709 for <go.dnscheck.tools IN A> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level TLS+EDNS0+DO for transaction 51709.
systemd-resolved[1318]: Using DNS server 192.168.1.1 for transaction 51709.
systemd-resolved[1318]: Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
systemd-resolved[1318]: Using feature level TLS+EDNS0+DO for transaction 51709.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Cache miss for go.dnscheck.tools IN AAAA
systemd-resolved[1318]: Firing regular transaction 64607 for <go.dnscheck.tools IN AAAA> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level TLS+EDNS0+DO for transaction 64607.
systemd-resolved[1318]: Using DNS server 192.168.1.1 for transaction 64607.
systemd-resolved[1318]: Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.
systemd-resolved[1318]: Using feature level TLS+EDNS0+DO for transaction 64607.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a  cookie=4294967295 reply_cookie=120 signature= error-name=n/a error-message=n/a
systemd-resolved[1318]: Match type='signal',sender='org.freedesktop.DBus',path='/org/freedesktop/DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.72' successfully installed.
systemd-resolved[1318]: Connection failure for DNS TCP stream: Connection refused
systemd-resolved[1318]: Retrying transaction 64607, after switching servers.
systemd-resolved[1318]: Cache miss for go.dnscheck.tools IN AAAA
systemd-resolved[1318]: Firing regular transaction 64607 for <go.dnscheck.tools IN AAAA> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Server doesn't support DNS-over-TLS, downgrading protocol...
systemd-resolved[1318]: Using degraded feature set UDP+EDNS0+DO instead of TLS+EDNS0+DO for DNS server 192.168.1.1.
systemd-resolved[1318]: Using feature level UDP+EDNS0+DO for transaction 64607.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
systemd-resolved[1318]: Sending query packet with id 64607 of size 69.
systemd-resolved[1318]: Retrying transaction 51709, after switching servers.
systemd-resolved[1318]: Cache miss for go.dnscheck.tools IN A
systemd-resolved[1318]: Firing regular transaction 51709 for <go.dnscheck.tools IN A> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level UDP+EDNS0+DO for transaction 51709.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
systemd-resolved[1318]: Sending query packet with id 51709 of size 69.
systemd-resolved[1318]: Received dns UDP packet of size 74, ifindex=4, ttl=0, fragsize=0, sender=192.168.1.1, destination=192.168.1.149
systemd-resolved[1318]: Processing incoming packet of size 74 on transaction 64607 (rcode=SUCCESS).
systemd-resolved[1318]: Verified we get a response at feature level UDP+EDNS0+DO from DNS server 192.168.1.1.
systemd-resolved[1318]: Requesting DS to validate transaction 64607 (go.dnscheck.tools, unsigned non-SOA/NS RRset <go.dnscheck.tools IN AAAA 2a01:4f8:1c1e:84c3::1>).
systemd-resolved[1318]: Cache miss for go.dnscheck.tools IN DS
systemd-resolved[1318]: Firing regular transaction 21019 for <go.dnscheck.tools IN DS> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level UDP+EDNS0+DO for transaction 21019.
systemd-resolved[1318]: Using DNS server 192.168.1.1 for transaction 21019.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
systemd-resolved[1318]: Sending query packet with id 21019 of size 69.
systemd-resolved[1318]: Received dns UDP packet of size 62, ifindex=4, ttl=0, fragsize=0, sender=192.168.1.1, destination=192.168.1.149
systemd-resolved[1318]: Processing incoming packet of size 62 on transaction 51709 (rcode=SUCCESS).
systemd-resolved[1318]: Requesting DS to validate transaction 51709 (go.dnscheck.tools, unsigned non-SOA/NS RRset <go.dnscheck.tools IN A 116.203.95.251>).
systemd-resolved[1318]: Received dns UDP packet of size 94, ifindex=4, ttl=0, fragsize=0, sender=192.168.1.1, destination=192.168.1.149
systemd-resolved[1318]: Processing incoming packet of size 94 on transaction 21019 (rcode=SUCCESS).
systemd-resolved[1318]: Requesting parent DS to validate transaction 21019 (go.dnscheck.tools, unsigned CNAME/DNAME/DS RRset).
systemd-resolved[1318]: Cache miss for dnscheck.tools IN DS
systemd-resolved[1318]: Firing regular transaction 403 for <dnscheck.tools IN DS> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level UDP+EDNS0+DO for transaction 403.
systemd-resolved[1318]: Using DNS server 192.168.1.1 for transaction 403.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
systemd-resolved[1318]: Sending query packet with id 403 of size 66.
systemd-resolved[1318]: Received dns UDP packet of size 91, ifindex=4, ttl=0, fragsize=0, sender=192.168.1.1, destination=192.168.1.149
systemd-resolved[1318]: Processing incoming packet of size 91 on transaction 403 (rcode=SUCCESS).
systemd-resolved[1318]: Requesting parent DS to validate transaction 403 (dnscheck.tools, unsigned CNAME/DNAME/DS RRset).
systemd-resolved[1318]: Cache miss for tools IN DS
systemd-resolved[1318]: Firing regular transaction 25712 for <tools IN DS> scope dns on wlan0/* (validate=yes).
systemd-resolved[1318]: Using feature level UDP+EDNS0+DO for transaction 25712.
systemd-resolved[1318]: Using DNS server 192.168.1.1 for transaction 25712.
systemd-resolved[1318]: Announcing packet size 1472 in egress EDNS(0) packet.
systemd-resolved[1318]: Emitting UDP, link MTU is 1500, socket MTU is 0, minimal MTU is 40
systemd-resolved[1318]: Sending query packet with id 25712 of size 57.
systemd-resolved[1318]: Received dns UDP packet of size 82, ifindex=4, ttl=0, fragsize=0, sender=192.168.1.1, destination=192.168.1.149
systemd-resolved[1318]: Processing incoming packet of size 82 on transaction 25712 (rcode=SUCCESS).
systemd-resolved[1318]: Requesting parent DS to validate transaction 25712 (tools, unsigned CNAME/DNAME/DS RRset).
systemd-resolved[1318]: Validating response from transaction 25712 (tools IN DS).
systemd-resolved[1318]: Looking at tools IN DS 13831 8 2 5ddd852d119830be951afa0d5176443a935eaa350278ef15fbea34156cf5a9ab: no-signature
systemd-resolved[1318]: Found verdict for lookup tools IN DS: bogus
systemd-resolved[1318]: [🡕] DNSSEC validation failed for question tools IN DS: no-signature
systemd-resolved[1318]: Regular transaction 25712 for <tools IN DS> on scope dns on wlan0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
systemd-resolved[1318]: Auxiliary DNSSEC RR query failed validation: no-signature
systemd-resolved[1318]: [🡕] DNSSEC validation failed for question dnscheck.tools IN DS: no-signature
systemd-resolved[1318]: Regular transaction 403 for <dnscheck.tools IN DS> on scope dns on wlan0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
systemd-resolved[1318]: Auxiliary DNSSEC RR query failed validation: no-signature
systemd-resolved[1318]: [🡕] DNSSEC validation failed for question go.dnscheck.tools IN DS: no-signature
systemd-resolved[1318]: Regular transaction 21019 for <go.dnscheck.tools IN DS> on scope dns on wlan0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
systemd-resolved[1318]: Auxiliary DNSSEC RR query failed validation: no-signature
systemd-resolved[1318]: [🡕] DNSSEC validation failed for question go.dnscheck.tools IN AAAA: no-signature
systemd-resolved[1318]: Regular transaction 64607 for <go.dnscheck.tools IN AAAA> on scope dns on wlan0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
systemd-resolved[1318]: Auxiliary DNSSEC RR query failed validation: no-signature
systemd-resolved[1318]: [🡕] DNSSEC validation failed for question go.dnscheck.tools IN A: no-signature
systemd-resolved[1318]: Regular transaction 51709 for <go.dnscheck.tools IN A> on scope dns on wlan0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
systemd-resolved[1318]: Freeing transaction 64607.
systemd-resolved[1318]: Sent message type=error sender=n/a destination=:1.72 path=n/a interface=n/a member=n/a cookie=122 reply_cookie=2 signature=s error-name=org.freedesktop.resolve1.DnssecFailed error-message=DNSSEC validation failed: no-signature
systemd-resolved[1318]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=123 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: Freeing transaction 51709.
systemd-resolved[1318]: Freeing transaction 21019.
systemd-resolved[1318]: Freeing transaction 403.
systemd-resolved[1318]: Freeing transaction 25712.
systemd-resolved[1318]: Got message type=method_call sender=:1.73 destination=org.freedesktop.resolve1 path=/org/freedesktop/LogControl1 interface=org.freedesktop.DBus.Properties member=Set  cookie=3 reply_cookie=0 signature=ssv error-name=n/a error-message=n/a
systemd-resolved[1318]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser cookie=124 reply_cookie=0 signature=s error-name=n/a error-message=n/a
systemd-resolved[1318]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.1 path=n/a interface=n/a member=n/a  cookie=4294967295 reply_cookie=124 signature=u error-name=n/a error-message=n/a

[jonathan-gruber-jg]

Okay, hopefully this is what was meant by an sd-resolved debug log. I have attached to this comment my logs for systemd-resolved in various formats (with DNS server IP addresses redacted) after setting "DNSSEC=allow-downgrade" in "[Resolve]", running sudo systemctl service-log-level systemd-resolved.service debug, and trying to resolve some domain names.
json-pretty.log
short-full.log
verbose.log

[rpigott]

Ok, seems like sd-resolved isn't succesfully downgrading these servers that don't support dnssec. I'll look into it.

[rpigott]

Yeah, the downgrading part of allow-downgrade was kinda broken. If you are able, please try #32598.

[jonathan-gruber-jg]

About to try backporting #32598 into Arch's package and building it. Will report on my findings.

[jonathan-gruber-jg]

I backported it into Arch Linux's systemd package and it seems to have fixed the bug, assuming I did things correctly. The way I did it was by modifying the Arch package's PKGBUILD file to patch the commit from pull request #32598 into the systemd source code that makepkg downloads before building systemd. I have attached a zip archive of my files for the Arch package. The patch to apply the commit from pull request #32598 is in the file resolve.patch. To build the Arch package, you may need to run makepkg with the "--skippgpcheck" option.

For the sake of completeness, I have also attached a debug log for sd-resolved in various formats.

Any other Arch users, and any other users of systemd 255.5 in general, please confirm my findings.
sd-debug-log.zip
systemd-arch-package.zip

[rpigott]

Good to hear, thanks for testing it.