First DNSSEC failure passed on even with allow-downgrade

[heftig]

systemd version the issue has been seen with
293.300 (systemd/systemd-stable@25d1ba1)

Used distribution
Arch Linux

Expected behaviour you didn't see
In allow-downgrade mode and using a DNS server without DNSSEC support, the query that triggers the downgrade is still ultimately successful.

Unexpected behaviour you saw

$ sudo systemctl restart systemd-resolved
$ resolvectl query encryptedsni.com
encryptedsni.com: resolve call failed: DNSSEC validation failed: failed-auxiliary
$ resolvectl query encryptedsni.com
encryptedsni.com: 104.20.84.157
                  104.20.0.157

-- Information acquired via protocol DNS in 39.2ms.
-- Data is authenticated: no

Logs:

systemd[1]: Starting Network Name Resolution...
systemd-resolved[30973]: Positive Trust Anchors:
systemd-resolved[30973]: . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
systemd-resolved[30973]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
systemd-resolved[30973]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.i>
systemd-resolved[30973]: Using system hostname 'papyrus'.
systemd[1]: Started Network Name Resolution.
systemd-resolved[30973]: Using degraded feature set (UDP+EDNS0) for DNS server 192.168.50.14.
systemd-resolved[30973]: DNSSEC validation failed for question com IN SOA: failed-auxiliary
systemd-resolved[30973]: DNSSEC validation failed for question encryptedsni.com IN DS: failed-auxiliary
systemd-resolved[30973]: DNSSEC validation failed for question encryptedsni.com IN AAAA: failed-auxiliary
systemd-resolved[30973]: DNSSEC validation failed for question encryptedsni.com IN SOA: failed-auxiliary
systemd-resolved[30973]: DNSSEC validation failed for question encryptedsni.com IN A: failed-auxiliary
systemd-resolved[30973]: Server 192.168.50.14 does not support DNSSEC, downgrading to non-DNSSEC mode.
systemd-resolved[30973]: Using degraded feature set (UDP) for DNS server 192.168.50.14.

I've also seen:

encryptedsni.com: resolve call failed: 'encryptedsni.com' does not have any RR of the requested type

[AndreaBorgia-Abo]

Can confirm same behaviour on Debian/testing with systemd 239
This is interfering with Amanda backups: every lookup failure means a host is excluded from backups, unless the server is pre-pinged by the clients.

[b1tninja]

Seeing this in systemd 240.95

Looks similar to issue of #9867

[b1tninja@hostname /]$ resolvectl query www.example.org

www.example.org: 93.184.216.34                 -- link: wlan0

-- Information acquired via protocol DNS in 133.9ms.
-- Data is authenticated: yes

[b1tninja@hostname /]$ resolvectl query www.archlinux.org

www.archlinux.org: resolve call failed: DNSSEC validation failed: no-signature
[b1tninja@hostname /]$ resolvectl dnssec
Global: allow-downgrade
Link 4 (wlan0): no

[b1tninja@hostname /]$ ip route

default via 192.168.0.1 dev wlan0 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.176 

[b1tninja@hostname /]$ cat /etc/systemd/resolved.conf

[Resolve]
#DNS=1.1.1.1
FallbackDNS=1.1.1.1 9.9.9.10 8.8.8.8 8.8.4.4 2606:4700:4700::1111 2620:fe::10 2001:4860:4860::8888
#Domains=
#LLMNR=yes
#MulticastDNS=yes
DNSSEC=allow-downgrade
#DNSOverTLS=opportunistic
Cache=yes
#DNSStubListener=yes
ReadEtcHosts=no

[tchernomax]

I can't reproduce this bug in version 242:

root@mde-oxalide # systemctl restart systemd-resolved.service; resolvectl query encryptedsni.com
encryptedsni.com: 104.20.84.157                -- link: enp57s0u1u2
                  104.20.0.157                 -- link: enp57s0u1u2

-- Information acquired via protocol DNS in 11.0ms.
-- Data is authenticated: yes
root@mde-oxalide # resolvectl status enp57s0u1u2
Link 2 (enp57s0u1u2)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes
  Current DNS Server: 192.168.1.2
         DNS Servers: 192.168.1.2
          DNS Domain: ~.
                      lan
root@mde-oxalide # systemctl --version
systemd 242 (242.29-1-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

[heftig]

Still reproducible using version 242.29.

$ resolvectl --version
systemd 242 (242.29-1-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid
$ sudo systemctl restart systemd-resolved
$ resolvectl query encryptedsni.com
encryptedsni.com: resolve call failed: DNSSEC validation failed: failed-auxiliary
$ resolvectl query encryptedsni.com
encryptedsni.com: 104.20.84.157                -- link: bridge
                  104.20.0.157                 -- link: bridge

-- Information acquired via protocol DNS in 163.5ms.
-- Data is authenticated: no

Logs:

systemd[1]: Starting Network Name Resolution...
systemd-resolved[7672]: Positive Trust Anchors:
systemd-resolved[7672]: . IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
systemd-resolved[7672]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
systemd-resolved[7672]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in>
systemd-resolved[7672]: Using system hostname 'papyrus'.
systemd[1]: Started Network Name Resolution.
systemd-resolved[7672]: Using degraded feature set (UDP+EDNS0) for DNS server 192.168.20.1.
systemd-resolved[7672]: DNSSEC validation failed for question com IN SOA: failed-auxiliary
systemd-resolved[7672]: DNSSEC validation failed for question encryptedsni.com IN DS: failed-auxiliary
systemd-resolved[7672]: DNSSEC validation failed for question encryptedsni.com IN SOA: failed-auxiliary
systemd-resolved[7672]: DNSSEC validation failed for question encryptedsni.com IN A: failed-auxiliary
systemd-resolved[7672]: DNSSEC validation failed for question encryptedsni.com IN AAAA: failed-auxiliary
systemd-resolved[7672]: Server 192.168.20.1 does not support DNSSEC, downgrading to non-DNSSEC mode.

[afq984]

Alternatively, resolvectl flush-caches; resolvectl reset-server-features can also be used to trigger resolve call failed: DNSSEC validation failed: failed-auxiliary

[b1tninja]

I'm still skimming source but looks like it might be here:

https://github.https://github.com/systemd/systemd/blob/f731fd5be61858b724e0f13b3ff1131c1977654a/src/resolve/resolved-dns-transaction.c#L764

When checking to see if there are ongoing auxiliary transactions the transaction is sometimes failed, and also iteration is stopped (do other transactions still need considering?)... and the dns_transaction_process_dnssec is skipped, which would dns_transaction_maybe_restart

[patrolez]

The thing is popular on microcomputers without RTC (like Raspberry Pi) as security of DNSSEC thing requires correct system date and time to be provided.

So you have:

1. ntp (timesyncd) wants to resolve pool.ntp.org
2. DNSSEC still and still refuses to make a resolution as there is no valid date and time, even with allow-downgrade does not allow to make resolution
3. [SHOULD BE] Allow to resolve the domain via non-encrypted DNS manner next time
4. goto: 1.

[philippe-rero]

Still reproducible using version 244.3. It would be good to be able to use allow-downgrade by now...

[b1tninja]

It has been awhile since I looked at the code but iirc their was a commit that returned the failure so there was information. The allow-downgrade case was rather complex, given it has to wait for pending/auxiliary queries and exhaust the server list... but my take on the issue is the resolve 'api' could only 'return' once (analogous to a synchronous function) and it occurred to me that it might be nice to have sort of a 'callback' --- I have no idea if that's possible with d-bus, but the idea being to provide updates on the status of the resolution as they become available, maybe options to provide the records/answers too... pending auxiliary requests.... and this idea is feature creeping but maybe provide a way to make decisions about resolution/validation

Another idea related to the NTP problem, (which I 'solved' by adding an ntp by ip), is to have flags for the resolution, maybe an option could provide a timestamp or 'softfail'

[goekce]

Can confirm that it is present in 245.6. Leads to the failure of the first command that requires an external DNS resolution.

[pemensik]

It would be helpful, if timesyncd allowed first query to run with +cd bit set. dig +cd pool.ntp.org fetches address without DNSSEC validation. It would get candidate host with candidate current time. It should then get addresses with DNSSEC validation in place, using candidate time to verify it. If validation passed this time and host hasn't changed, we have trusted time validated with DNSSEC.

Turning off DNSSEC validation completely for all clients should not be done nor necessary.

[pemensik]

The thing is popular on microcomputers without RTC (like Raspberry Pi) as security of DNSSEC thing requires correct system date and time to be provided.

So you have:

1. ntp (timesyncd) wants to resolve `pool.ntp.org`

2. DNSSEC still and still refuses to make a resolution as there is no valid date and time, even with `allow-downgrade` does not allow to make resolution

3. [SHOULD BE] Allow to resolve the domain via non-encrypted DNS manner next time

4. goto: 1.

One way around this would be using negative trust anchor (nta) for pool.ntp.org on machines without correct time. It would allow time to be set regardless state of general validation.

mkdir -p /etc/dnssec-trust-anchors.d/
echo pool.ntp.org  | sudo tee /etc/dnssec-trust-anchors.d/pool.ntp.org.negative

This is more workaround than proper fix, but proper fix is more difficult.