[Discuss] resolved and DNSSEC

Matthew Gillen me at mattgillen.net
Tue Apr 13 10:41:41 EDT 2021 

I did a system upgrade the other day of my main home server/firewall,
and for once the problem wasn't email, it was DNS.

Fedora 33 moved to resolved, which does some interesting things compared
to what I was used to.

Amazingly, it maintained the basic contours of the system I had before:
systemd-resolved was configured to only talk to the BIND server running
on the loopback.  I was impressed with that (and even though I've found
/etc/systemd/resolved.conf and put the DNS entry as 127.0.0.1 to force
it, it was actually doing the right thing before I did that, so I don't
which config file it was looking at).

The problem I had was a script I was running to check the DNSSEC status
of a certain set of hosts that have historically had a lot of issues.
So my cron job basically ran
  delv <hostname>

over a set of hostnames.  delv is like 'dig' but for DNSSEC

Followed advice of random blog that duckduckgo told me about and enabled
DNSSEC for systemd-resolved
(https://stanislas.blog/2018/06/enable-dnssec-support-in-systemd-resolve/ )

However, my 'delv' commands kept returning failure.  Doing 'dig
www.dnssec-failed.org' properly failed, so I know DNSSEC was working
between my BIND instance and systemd-resolved, but delv apparently was
not able to get signed results from the 127.0.0.53 server (which is what
systemd-resolved presents to the rest of the system as the
backward-compatible resolver).

I solved the problem in the short term by just forcing the delv command
to go straight to my BIND server:
  delv @127.0.0.1 <hostname>

But I liked the idea of the delv command exercising the exact path any
other program on my system would use when doing DNS lookups.
There is a pretty meaty ticket on this where the issue was closed but
people are saying it still doesn't work
https://github.com/systemd/systemd/issues/4621

FWIW, here's my config in case any one knows something I might be doing
wrong (links 4-7 are just VLANs off physical Link 3; Link 2 is my ISP
connection):
---------------------
$ resolvectl
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub
Current DNS Server: 127.0.0.1
       DNS Servers: 127.0.0.1

Link 2 (enp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6

         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS
DNSSEC=yes/supported
Current DNS Server: 127.0.0.1

       DNS Servers: 127.0.0.1


Link 3 (enp3s5)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 4 (noext)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 5 (eap)
Current Scopes: LLMNR/IPv4
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 6 (kids)
Current Scopes: LLMNR/IPv4 LLMNR/IPv6
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

Link 7 (mgmt)
Current Scopes: LLMNR/IPv4
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported

---------------------

Thanks,
Matt

More information about the Discuss mailing list