resolved: DNSSEC stub validation broken (again) #22002
Description
systemd version the issue has been seen with
systemd-250-3.fc36.x86_64
Used distribution
Fedora Rawhide
Linux kernel version used (uname -a)
Linux -censored-.redhat.com 5.16.0-0.rc7.20211231git4f3d93c6eaff.52.fc36.x86_64 #1 SMP PREEMPT Fri Dec 31 16:08:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CPU architecture issue was seen on
x86_64
Expected behaviour you didn't see
delv apps.fedoraproject.org does pass
$ delv apps.fedoraproject.org
; fully validated
apps.fedoraproject.org. 30 IN CNAME wildcard.fedoraproject.org.
apps.fedoraproject.org. 30 IN RRSIG CNAME 14 3 300 20220121183733 20211222183733 60624 fedoraproject.org. c8OYvW39KQSwg7udDnpeG7gzhaBSFh0ERaWf859C1m/Lu+KbTHYojU0i A+EsB8pyCq1PpO6CvG1hFkVNDkSwTojakr6FJ0XV78I0rmKPzAw7f8er qUhs5flojoFeZYCD
wildcard.fedoraproject.org. 60 IN A 152.19.134.142
wildcard.fedoraproject.org. 60 IN A 8.43.85.73
wildcard.fedoraproject.org. 60 IN A 38.145.60.21
wildcard.fedoraproject.org. 60 IN A 67.219.144.68
wildcard.fedoraproject.org. 60 IN A 38.145.60.20
wildcard.fedoraproject.org. 60 IN A 140.211.169.196
wildcard.fedoraproject.org. 60 IN A 209.132.190.2
wildcard.fedoraproject.org. 60 IN A 140.211.169.206
wildcard.fedoraproject.org. 60 IN A 152.19.134.198
wildcard.fedoraproject.org. 60 IN RRSIG A 14 3 60 20220121183733 20211222183733 60624 fedoraproject.org. 4tpyWQKq7bFgaIhVQXKUNT4+HE6FnEAlcW/A/LGRwDuEg6aOavpDtxA4 1ZRVRmaQhT0TqkjZAdVZd5bn407/LkEZSUVmHVBtG5h4mtZVM4Oklpm/ MiUi4+mlBWNFQmaO
Unexpected behaviour you saw
RRSIG is placed after just first record, not after all records of the same type.
# dig +dnssec apps.fedoraproject.org
; <<>> DiG 9.16.24-RH <<>> +dnssec apps.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16609
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org. IN A
;; ANSWER SECTION:
apps.fedoraproject.org. 300 IN CNAME wildcard.fedoraproject.org.
apps.fedoraproject.org. 300 IN RRSIG CNAME 14 3 300 20220121183733 20211222183733 60624 fedoraproject.org. c8OYvW39KQSwg7udDnpeG7gzhaBSFh0ERaWf859C1m/Lu+KbTHYojU0i A+EsB8pyCq1PpO6CvG1hFkVNDkSwTojakr6FJ0XV78I0rmKPzAw7f8er qUhs5flojoFeZYCD
wildcard.fedoraproject.org. 31 IN A 152.19.134.198
wildcard.fedoraproject.org. 31 IN RRSIG A 14 3 60 20220121183733 20211222183733 60624 fedoraproject.org. 4tpyWQKq7bFgaIhVQXKUNT4+HE6FnEAlcW/A/LGRwDuEg6aOavpDtxA4 1ZRVRmaQhT0TqkjZAdVZd5bn407/LkEZSUVmHVBtG5h4mtZVM4Oklpm/ MiUi4+mlBWNFQmaO
wildcard.fedoraproject.org. 31 IN A 140.211.169.196
wildcard.fedoraproject.org. 31 IN A 209.132.190.2
wildcard.fedoraproject.org. 31 IN A 38.145.60.20
wildcard.fedoraproject.org. 31 IN A 8.43.85.73
wildcard.fedoraproject.org. 31 IN A 38.145.60.21
wildcard.fedoraproject.org. 31 IN A 67.219.144.68
wildcard.fedoraproject.org. 31 IN A 140.211.169.206
wildcard.fedoraproject.org. 31 IN A 152.19.134.142
;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Jan 04 17:24:53 EST 2022
;; MSG SIZE rcvd: 508
Steps to reproduce the problem
ln /run/systemd/resolved/stub-resolv.conf /etc/resolv.conf
add DNSSEC=yes to /etc/systemd/resolved.conf
delv apps.fedoraproject.org
Additional program output to the terminal or log subsystem illustrating the issue
Processing query...
temd-resolved[1868]: Received dns UDP packet of size 508, ifindex=2, ttl=0, fragsize=0, sender=10.11.5.19, destination=10.0.138.82
temd-resolved[1868]: Processing incoming packet of size 508 on transaction 5148 (rcode=SUCCESS).
temd-resolved[1868]: Requesting DNSKEY to validate transaction 5148 (apps.fedoraproject.org, RRSIG with key tag: 60624).
temd-resolved[1868]: Positive cache hit for fedoraproject.org IN DNSKEY
temd-resolved[1868]: Regular transaction 50222 for <fedoraproject.org IN DNSKEY> on scope dns on eth0/* now complete with <success> from>
temd-resolved[1868]: Requesting DNSKEY to validate transaction 5148 (wildcard.fedoraproject.org, RRSIG with key tag: 60624).
temd-resolved[1868]: Validating response from transaction 5148 (apps.fedoraproject.org IN A).
temd-resolved[1868]: Looking at apps.fedoraproject.org IN CNAME wildcard.fedoraproject.org: validated
temd-resolved[1868]: Found verdict for lookup apps.fedoraproject.org IN CNAME: secure
temd-resolved[1868]: Looking at wildcard.fedoraproject.org IN A 140.211.169.196: validated
temd-resolved[1868]: Found verdict for lookup wildcard.fedoraproject.org IN A: secure
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for apps.fedoraproject.org IN CNAME 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Regular transaction 5148 for <apps.fedoraproject.org IN A> on scope dns on eth0/* now complete with <success> from >
temd-resolved[1868]: Following CNAME/DNAME apps.fedoraproject.org → wildcard.fedoraproject.org.
temd-resolved[1868]: Sending response packet with id 22524 on interface 1/AF_INET of size 508.
temd-resolved[1868]: Freeing transaction 5148.
temd-resolved[1868]: Freeing transaction 50222.