systemd version the issue has been seen with
systemd-250-3.fc36.x86_64
Used distribution
Fedora Rawhide
Linux kernel version used (uname -a)
Linux -censored-.redhat.com 5.16.0-0.rc7.20211231git4f3d93c6eaff.52.fc36.x86_64 #1 SMP PREEMPT Fri Dec 31 16:08:05 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CPU architecture issue was seen on
x86_64
Expected behaviour you didn't see
delv apps.fedoraproject.org does pass
$ delv apps.fedoraproject.org
; fully validated
apps.fedoraproject.org. 30 IN CNAME wildcard.fedoraproject.org.
apps.fedoraproject.org. 30 IN RRSIG CNAME 14 3 300 20220121183733 20211222183733 60624 fedoraproject.org. c8OYvW39KQSwg7udDnpeG7gzhaBSFh0ERaWf859C1m/Lu+KbTHYojU0i A+EsB8pyCq1PpO6CvG1hFkVNDkSwTojakr6FJ0XV78I0rmKPzAw7f8er qUhs5flojoFeZYCD
wildcard.fedoraproject.org. 60 IN A 152.19.134.142
wildcard.fedoraproject.org. 60 IN A 8.43.85.73
wildcard.fedoraproject.org. 60 IN A 38.145.60.21
wildcard.fedoraproject.org. 60 IN A 67.219.144.68
wildcard.fedoraproject.org. 60 IN A 38.145.60.20
wildcard.fedoraproject.org. 60 IN A 140.211.169.196
wildcard.fedoraproject.org. 60 IN A 209.132.190.2
wildcard.fedoraproject.org. 60 IN A 140.211.169.206
wildcard.fedoraproject.org. 60 IN A 152.19.134.198
wildcard.fedoraproject.org. 60 IN RRSIG A 14 3 60 20220121183733 20211222183733 60624 fedoraproject.org. 4tpyWQKq7bFgaIhVQXKUNT4+HE6FnEAlcW/A/LGRwDuEg6aOavpDtxA4 1ZRVRmaQhT0TqkjZAdVZd5bn407/LkEZSUVmHVBtG5h4mtZVM4Oklpm/ MiUi4+mlBWNFQmaO
Unexpected behaviour you saw
RRSIG is placed after just first record, not after all records of the same type.
# dig +dnssec apps.fedoraproject.org
; <<>> DiG 9.16.24-RH <<>> +dnssec apps.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16609
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org. IN A
;; ANSWER SECTION:
apps.fedoraproject.org. 300 IN CNAME wildcard.fedoraproject.org.
apps.fedoraproject.org. 300 IN RRSIG CNAME 14 3 300 20220121183733 20211222183733 60624 fedoraproject.org. c8OYvW39KQSwg7udDnpeG7gzhaBSFh0ERaWf859C1m/Lu+KbTHYojU0i A+EsB8pyCq1PpO6CvG1hFkVNDkSwTojakr6FJ0XV78I0rmKPzAw7f8er qUhs5flojoFeZYCD
wildcard.fedoraproject.org. 31 IN A 152.19.134.198
wildcard.fedoraproject.org. 31 IN RRSIG A 14 3 60 20220121183733 20211222183733 60624 fedoraproject.org. 4tpyWQKq7bFgaIhVQXKUNT4+HE6FnEAlcW/A/LGRwDuEg6aOavpDtxA4 1ZRVRmaQhT0TqkjZAdVZd5bn407/LkEZSUVmHVBtG5h4mtZVM4Oklpm/ MiUi4+mlBWNFQmaO
wildcard.fedoraproject.org. 31 IN A 140.211.169.196
wildcard.fedoraproject.org. 31 IN A 209.132.190.2
wildcard.fedoraproject.org. 31 IN A 38.145.60.20
wildcard.fedoraproject.org. 31 IN A 8.43.85.73
wildcard.fedoraproject.org. 31 IN A 38.145.60.21
wildcard.fedoraproject.org. 31 IN A 67.219.144.68
wildcard.fedoraproject.org. 31 IN A 140.211.169.206
wildcard.fedoraproject.org. 31 IN A 152.19.134.142
;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Jan 04 17:24:53 EST 2022
;; MSG SIZE rcvd: 508
Steps to reproduce the problem
ln /run/systemd/resolved/stub-resolv.conf /etc/resolv.conf
add DNSSEC=yes to /etc/systemd/resolved.conf
delv apps.fedoraproject.org
Additional program output to the terminal or log subsystem illustrating the issue
Processing query...
temd-resolved[1868]: Received dns UDP packet of size 508, ifindex=2, ttl=0, fragsize=0, sender=10.11.5.19, destination=10.0.138.82
temd-resolved[1868]: Processing incoming packet of size 508 on transaction 5148 (rcode=SUCCESS).
temd-resolved[1868]: Requesting DNSKEY to validate transaction 5148 (apps.fedoraproject.org, RRSIG with key tag: 60624).
temd-resolved[1868]: Positive cache hit for fedoraproject.org IN DNSKEY
temd-resolved[1868]: Regular transaction 50222 for <fedoraproject.org IN DNSKEY> on scope dns on eth0/* now complete with <success> from>
temd-resolved[1868]: Requesting DNSKEY to validate transaction 5148 (wildcard.fedoraproject.org, RRSIG with key tag: 60624).
temd-resolved[1868]: Validating response from transaction 5148 (apps.fedoraproject.org IN A).
temd-resolved[1868]: Looking at apps.fedoraproject.org IN CNAME wildcard.fedoraproject.org: validated
temd-resolved[1868]: Found verdict for lookup apps.fedoraproject.org IN CNAME: secure
temd-resolved[1868]: Looking at wildcard.fedoraproject.org IN A 140.211.169.196: validated
temd-resolved[1868]: Found verdict for lookup wildcard.fedoraproject.org IN A: secure
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for apps.fedoraproject.org IN CNAME 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Added positive authenticated non-confidential cache entry for wildcard.fedoraproject.org IN A 23s on eth0/INET/10.1>
temd-resolved[1868]: Regular transaction 5148 for <apps.fedoraproject.org IN A> on scope dns on eth0/* now complete with <success> from >
temd-resolved[1868]: Following CNAME/DNAME apps.fedoraproject.org → wildcard.fedoraproject.org.
temd-resolved[1868]: Sending response packet with id 22524 on interface 1/AF_INET of size 508.
temd-resolved[1868]: Freeing transaction 5148.
temd-resolved[1868]: Freeing transaction 50222.
systemd version the issue has been seen with
Used distribution
Linux kernel version used (
uname -a)CPU architecture issue was seen on
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
Additional program output to the terminal or log subsystem illustrating the issue