systemd version the issue has been seen with
systemd 249 (249.7-2-arch)
Used distribution
Arch Linux
Linux kernel version used (uname -a)
Linux tortoise 5.15.6-arch2-1 #1 SMP PREEMPT Thu, 02 Dec 2021 15:47:09 +0000 x86_64 GNU/Linux
CPU architecture issue was seen on
x86_64
Expected behaviour you didn't see
With MulticastDNS=no in /etc/systemd/resolved.conf, drill local SOA should have returned NXDOMAIN.
Unexpected behaviour you saw
With MulticastDNS=no in /etc/systemd/resolved.conf, drill local SOA, returned something other than NXDOMAIN.
I got either SERVFAIL, or if the .network file had UseDomains=yes in [DHCPv4] and [IPv6AcceptRA] sections, then I got NOERROR.
This causes a compatibility issue with nss-mdns since, by default, it checks if the "unicast DNS server responds to SOA queries".
According to https://datatracker.ietf.org/doc/html/rfc6762#section-22.1
Caching DNS servers SHOULD recognize these names as special and SHOULD NOT attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve these names. Instead, caching DNS servers SHOULD generate immediate NXDOMAIN responses for all such queries they may receive (from misbehaving name resolver libraries).
There's also a similar issue for LLMNR: #19964.
Steps to reproduce the problem
- Set
MulticastDNS=no in /etc/systemd/resolved.conf.
- Run
drill local SOA.
Additional program output to the terminal or log subsystem illustrating the issue
$ drill local SOA
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 44696
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; local. IN SOA
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.53
;; WHEN: Tue Dec 7 13:11:17 2021
;; MSG SIZE rcvd: 23
$ host -t SOA local
Host local not found: 2(SERVFAIL)
If the connection has any search domains (lan and home in my case):
$ drill local SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23812
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;; local. IN SOA
;; ANSWER SECTION:
local. 10800 IN SOA local. nobody.invalid. 1 3600 1200 604800 10800
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
explanation.invalid. 10800 IN TXT "Blocking is mandated by standards, see references on https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml"
;; Query time: 2 msec
;; SERVER: 127.0.0.53
;; WHEN: Tue Dec 7 13:22:18 2021
;; MSG SIZE rcvd: 239
$ host -t SOA local
local has SOA record local. nobody.invalid. 1 3600 1200 604800 10800
systemd version the issue has been seen with
Used distribution
Linux kernel version used (
uname -a)CPU architecture issue was seen on
Expected behaviour you didn't see
Unexpected behaviour you saw
This causes a compatibility issue with nss-mdns since, by default, it checks if the "unicast DNS server responds to SOA queries".
According to https://datatracker.ietf.org/doc/html/rfc6762#section-22.1
There's also a similar issue for LLMNR: #19964.
Steps to reproduce the problem
MulticastDNS=noin/etc/systemd/resolved.conf.drill local SOA.Additional program output to the terminal or log subsystem illustrating the issue
If the connection has any search domains (
lanandhomein my case):