[systemd-devel] negative trust anchors not working with non TLD domain names

Sean Dague sean at dague.net
Wed Apr 19 11:12:01 UTC 2017 

I just upgraded to Ubuntu 17.04 (systemd 232) where systemd-resolved is
turned on by default, which means DNSSEC validation on by default.

My home network has DNS provided by dnsmasq, and for historical reasons
I set the domain name on all hosts there to 'dague.pvt'.

I tried adding both 'dague.pvt' and 'pvt' to
/etc/dnssec-trust-anchors.d/dague.pvt.negative (as well as copying in
the list of all the negative trust anchors that exist by default, home,
local, the reverse lookup ones).

Looking up os3.dague.pvt always returns a SERVEFAIL, it does not seem to
be respecting the negative trust anchor, even though the logs seem to be
picking it up:

Apr 19 07:06:10 ribos.dague.pvt systemd-resolved[16286]: Negative trust
anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa
18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa
21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa
24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa
27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa
30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa
d.f.ip6.arpa corp home internal intranet lan local private pvt dague.pvt
test

Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: Switching to
DNS server 10.42.0.3 for interface enp0s25.
Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC
validation failed for question os3.dague.pvt IN DS: no-signature
Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC
validation failed for question os3.dague.pvt IN SOA: no-signature
Apr 19 07:06:25 ribos.dague.pvt systemd-resolved[16286]: DNSSEC
validation failed for question os3.dague.pvt IN A: no-signature


It did occur to me that there are no non TLD examples in the excluded
list except the reverse lookup domains (which I assume are treated
specially).

Is there something I'm missing with configuration here? Or are non TLD
domains not supported for negative trust anchors? And if so, is that a
bug or intentional? My current work around is to just turn off DNSSEC,
which I'd really like to avoid doing if I could.

Thanks in advance,

	-Sean

-- 
Sean Dague
http://dague.net

More information about the systemd-devel mailing list