resolved: `gpg --send-keys` fails with stub-resolv.conf

[Tachi107]

systemd version the issue has been seen with

systemd 251 (251.2-5)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

Used distribution

Debian Testing (12)

Linux kernel version used (uname -srvmo)

Linux 5.17.0-1-amd64 #1 SMP PREEMPT Debian 5.17.3-1 (2022-04-18) x86_64 GNU/Linux

CPU architecture issue was seen on

x86_64

Expected behaviour you didn't see

gpg --send-keys should be able to send keys when using systemd-resolved and /etc/resolv.conf points to the resolved stub

Unexpected behaviour you saw

$ ls -lh /etc/resolv.conf
lrwxrwxrwx 1 root root 37 14 giu 11.54 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
$ gpg --keyserver pgp.surf.nl --send-key 66DEF15282990C2199EFA801A8A128A8AB1CEE49
gpg: sending key A8A128A8AB1CEE49 to hkp://pgp.surf.nl
gpg: keyserver send failed: Server indicated a failure
gpg: keyserver send failed: Server indicated a failure

$ ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
$ gpg --verbose --verbose --keyserver pgp.surf.nl --send-key 66DEF15282990C2199EFA801A8A128A8AB1CEE49
gpg: sending key A8A128A8AB1CEE49 to hkp://pgp.surf.nl
$ echo $?
0

Steps to reproduce the problem

1. Fully enable systemd-resolved, also with /etc/resolv.conf pointing to /run/systemd/resolve/stub-resolv.conf
2. Run gpg --keyserver "$keyserver" --send-key "$my_key"

Additional program output to the terminal or log subsystem illustrating the issue

$ resolvectl status 
Global
         Protocols: +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub
Current DNS Server: 9.9.9.9#dns.quad9.net
       DNS Servers: 9.9.9.9#dns.quad9.net

Link 2 (enp7s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
         Protocols: +DefaultRoute +LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.168.178.1
       DNS Servers: 192.168.178.1

$ journalctl --no-hostname --boot --follow
giu 14 11:32:51 dirmngr[3727]: command 'KS_PUT' failed: Server indicated a failure <Unspecified source>

Details

$ gpg --verbose --verbose --debug-all --keyserver pgp.surf.nl --send-key 66DEF15282990C2199EFA801A8A128A8AB1CEE49
gpg: reading options from '/home/tachi/.gnupg/gpg.conf'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/tachi/.gnupg
gpg: DBG: chan_3 <- # Config: /home/tachi/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.35 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.35
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pgp.surf.nl
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER
gpg: DBG: chan_3 <- S KEYSERVER hkp://pgp.surf.nl
gpg: DBG: chan_3 <- OK
gpg: DBG: [not enabled in the source] keydb_new
gpg: DBG: [not enabled in the source] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '66DE F152 8299 0C21 99EF  A801 A8A1 28A8 AB1C EE49'
gpg: DBG: keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: [not enabled in the source] keydb_search leave (found)
gpg: DBG: [not enabled in the source] keydb_get_keybock enter
gpg: DBG: parse_packet(iob=2): type=6 length=51 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=12 length=12 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=13 length=57 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=12 length=12 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=2 length=144 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=12 length=6 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=2 length=563 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=12 length=6 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=14 length=56 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=2 length=120 (parse.../../g10/keydb.c.1257)
gpg: DBG: parse_packet(iob=2): type=12 length=6 (parse.../../g10/keydb.c.1257)
gpg: DBG: iobuf-2.0: underflow: buffer size: 1056; still buffered: 0 => space for 1056 bytes
gpg: DBG: iobuf-2.0: close '?'
gpg: DBG: [not enabled in the source] keydb_get_keyblock leave
gpg: DBG: build_packet() type=6
gpg: DBG: iobuf-3.0: close '?'
gpg: DBG: build_packet() type=13
gpg: DBG: build_packet() type=2
gpg: DBG: iobuf-4.0: close '?'
gpg: DBG: build_packet() type=2
gpg: DBG: iobuf-5.0: close '?'
gpg: DBG: build_packet() type=14
gpg: DBG: iobuf-6.0: close '?'
gpg: DBG: build_packet() type=2
gpg: DBG: iobuf-7.0: close '?'
gpg: DBG: iobuf-1.0: close '?'
gpg: sending key A8A128A8AB1CEE49 to hkp://pgp.surf.nl
gpg: DBG: chan_3 -> KS_PUT
gpg: DBG: chan_3 <- INQUIRE KEYBLOCK
gpg: DBG: chan_3 -> [ 44 20 98 33 04 5f ef 42 de 16 09 2b 06 01 04 01 ...(982 byte(s) skipped) ]
gpg: DBG: chan_3 -> [ 44 20 c8 0f 7a e9 7c ac 90 88 cc f5 6a 30 75 5d ...(16 byte(s) skipped) ]
gpg: DBG: chan_3 -> END
gpg: DBG: chan_3 <- INQUIRE KEYBLOCK_INFO
gpg: DBG: chan_3 -> D pub::255:22:A8A128A8AB1CEE49:1609515742::::::::::::::%0Afpr:::::::::66DEF15282990C2199EFA801A8A128A8AB1CEE49:<snip>
gpg: DBG: chan_3 -> END
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: DBG: free_packet() type=6
gpg: DBG: free_packet() type=13
gpg: DBG: free_packet() type=2
gpg: DBG: free_packet() type=2
gpg: DBG: free_packet() type=14
gpg: DBG: free_packet() type=2
gpg: keyserver send failed: Server indicated a failure
gpg: keyserver send failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=2 good=2 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

[yuwata]

resolvectl query or dig works for the host?? Could you show the output of these commands?

[Tachi107]

resolvectl query or dig works for the host?? Could you show the output of these commands?

Yes, they work. delv doesn't, but that's probably related to #23289 (comment)

$ resolvectl query pgp.surf.nl
pgp.surf.nl: 2001:610:188:452:145:100:176:15   -- link: enp7s0
             145.100.176.15                    -- link: enp7s0

-- Information acquired via protocol DNS in 185.0ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: network

$ dig pgp.surf.nl

; <<>> DiG 9.18.1-1-Debian <<>> pgp.surf.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60413
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;pgp.surf.nl.			IN	A

;; ANSWER SECTION:
pgp.surf.nl.		79	IN	A	145.100.176.15

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Jun 27 22:21:32 CEST 2022
;; MSG SIZE  rcvd: 56

$ delv pgp.surf.nl
;; broken trust chain resolving 'surf.nl/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'surf.nl/DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'pgp.surf.nl/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain

[yuwata]

Do you have any trust anchors file in {/etc,/usr/lib,/run}/dnssec-trust-anchors.d ??
I cannot reproduce the issue...

[Tachi107]

Yes, I don't have those dirs at all.

I've been also able to reproduce this on systemd 247.3 (Debian stable).

Edit: how did you try to reproduce this? Note that I have both DoT and DNSSEC enabled. I did not try changing DNS server though (only used quad9)

[mrc0mmand]

I just tried it with the latest main and can't reproduce it either:

# resolvectl
Global
           Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com
                      2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google

Link 2 (eth0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute +LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 9.9.9.9
       DNS Servers: 9.9.9.9

# resolvectl --cache=no query pgp.surf.nl
pgp.surf.nl: 2001:610:188:452:145:100:176:15   -- link: eth0
             145.100.176.15                    -- link: eth0

-- Information acquired via protocol DNS in 256.3ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: network

# gpg -vvv --debug all --keyserver pgp.surf.nl --send-key 965903AAE5C10D90CF2D0BBFE9083485235552BB
gpg: reading options from '[cmdline]'
gpg: using character set 'utf-8'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [no clock] start
gpg: DBG: chan_3 <- # Home: /root/.gnupg
gpg: DBG: chan_3 <- # Config: /root/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.3.6 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.3.6
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkp://pgp.surf.nl
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER
gpg: DBG: chan_3 <- S KEYSERVER hkp://pgp.surf.nl
gpg: DBG: chan_3 <- OK
gpg: DBG: [no clock] keydb_new
gpg: DBG: [no clock] keydb_search enter
gpg: DBG: keydb_search: 1 search descriptions:
gpg: DBG: keydb_search   0: FPR20: '9659 03AA E5C1 0D90 CF2D  0BBF E908 3485 2355 52BB'
gpg: DBG: internal_keydb_search: searching keybox (resource 0 of 1)
gpg: DBG: internal_keydb_search: searched keybox (resource 0 of 1) => Success
gpg: DBG: [no clock] keydb_search leave (found)
gpg: DBG: [no clock] keydb_get_keyblock enter
gpg: DBG: parse_packet(iob=2): type=6 length=51 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=12 length=12 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=13 length=63 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=12 length=12 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=2 length=153 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=12 length=6 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=14 length=56 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=2 length=126 (parse.keydb.c.1161)
gpg: DBG: parse_packet(iob=2): type=12 length=6 (parse.keydb.c.1161)
gpg: DBG: iobuf-2.0: underflow: buffer size: 503; still buffered: 0 => space for 503 bytes
gpg: DBG: iobuf-2.0: close '?'
gpg: DBG: [no clock] keydb_get_keyblock leave
gpg: DBG: build_packet() type=6
gpg: DBG: iobuf-3.0: close '?'
gpg: DBG: build_packet() type=13
gpg: DBG: build_packet() type=2
gpg: DBG: iobuf-4.0: close '?'
gpg: DBG: build_packet() type=14
gpg: DBG: iobuf-5.0: close '?'
gpg: DBG: build_packet() type=2
gpg: DBG: iobuf-6.0: close '?'
gpg: DBG: [no clock] keydb_release
gpg: DBG: iobuf-1.0: close '?'
gpg: sending key E9083485235552BB to hkp://pgp.surf.nl
gpg: DBG: ecc_verify info: Edwards/Ed25519+EdDSA
gpg: DBG: ecc_verify name: Ed25519
gpg: DBG: ecc_verify    p:+7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
gpg: DBG: ecc_verify    a:+7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec
gpg: DBG: ecc_verify    b:+52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3
gpg: DBG: ecc_verify  g.X:+216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a
gpg: DBG: ecc_verify  g.Y:+6666666666666666666666666666666666666666666666666666666666666658
gpg: DBG: ecc_verify  g.Z:+01
gpg: DBG: ecc_verify    n:+1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
gpg: DBG: ecc_verify    h:+08
gpg: DBG: ecc_verify    q: [264 bit]
gpg: DBG:                  405af4a4f6b4cfd8964f121bfd0c22502544d175698f42a78a01726dbb1d89c3 \
gpg: DBG:                  c4
gpg: DBG: ecc_verify data: [512 bit]
gpg: DBG:                  51c7a140c819bb30f8364b54bf10348b4e0b58aa2b7ef8bed769a17990b70ee4 \
gpg: DBG:                  3dc9451942ce836f131971c8f36f79aefc10289e3a746c94926a1305458c381a
gpg: DBG: ecc_verify  s_r: [256 bit]
gpg: DBG:                  779fe72e43d4f78669735ac14b49920621813e27aaa075964cad196c990b1214
gpg: DBG: ecc_verify  s_s: [256 bit]
gpg: DBG:                  563f5853bb059d14f819243bb728146dcbdf91e60c5e0866ec3df46f9b122d0e
gpg: DBG:   e_pk: 5af4a4f6b4cfd8964f121bfd0c22502544d175698f42a78a01726dbb1d89c3c4
gpg: DBG:      m: 51c7a140c819bb30f8364b54bf10348b4e0b58aa2b7ef8bed769a17990b70ee4 \
gpg: DBG:         3dc9451942ce836f131971c8f36f79aefc10289e3a746c94926a1305458c381a
gpg: DBG:      r: 779fe72e43d4f78669735ac14b49920621813e27aaa075964cad196c990b1214
gpg: DBG:  H(R+): 4659fb38be77c3516bcbca8682591792348deb86ad16ae09fc61c502935e903a \
gpg: DBG:         35a2c34620431e194b316b9379bb70681f8d127b4e35234f7e9c067d26706b4f
gpg: DBG:      s: 0e2d129b6ff43dec66085e0ce691dfcb6d1428b73b2419f8149d05bb53583f56
gpg: DBG: ecc_verify    => Good
gpg: DBG: ecc_verify info: Edwards/Ed25519+EdDSA
gpg: DBG: ecc_verify name: Ed25519
gpg: DBG: ecc_verify    p:+7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed
gpg: DBG: ecc_verify    a:+7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffec
gpg: DBG: ecc_verify    b:+52036cee2b6ffe738cc740797779e89800700a4d4141d8ab75eb4dca135978a3
gpg: DBG: ecc_verify  g.X:+216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a
gpg: DBG: ecc_verify  g.Y:+6666666666666666666666666666666666666666666666666666666666666658
gpg: DBG: ecc_verify  g.Z:+01
gpg: DBG: ecc_verify    n:+1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed
gpg: DBG: ecc_verify    h:+08
gpg: DBG: ecc_verify    q: [264 bit]
gpg: DBG:                  405af4a4f6b4cfd8964f121bfd0c22502544d175698f42a78a01726dbb1d89c3 \
gpg: DBG:                  c4
gpg: DBG: ecc_verify data: [512 bit]
gpg: DBG:                  5d0d4a5ce94904066012e53c5ba2f2bb4fdb5d80be52fb5e34c11d932dda7fc7 \
gpg: DBG:                  fd13b65cc653dd578d156e22b5532813f0dff3235bf53a32b7576648fbfdce43
gpg: DBG: ecc_verify  s_r: [256 bit]
gpg: DBG:                  9568700cd6f57efaf7be0ac4e9e4755e462f3f3a96c9a32b7dadbcf570781633
gpg: DBG: ecc_verify  s_s: [256 bit]
gpg: DBG:                  5cd16ab5b79ee7dfd0105cfdbb0daf1f605e8aba16550e125e55a24b2dd5a40c
gpg: DBG:   e_pk: 5af4a4f6b4cfd8964f121bfd0c22502544d175698f42a78a01726dbb1d89c3c4
gpg: DBG:      m: 5d0d4a5ce94904066012e53c5ba2f2bb4fdb5d80be52fb5e34c11d932dda7fc7 \
gpg: DBG:         fd13b65cc653dd578d156e22b5532813f0dff3235bf53a32b7576648fbfdce43
gpg: DBG:      r: 9568700cd6f57efaf7be0ac4e9e4755e462f3f3a96c9a32b7dadbcf570781633
gpg: DBG:  H(R+): 54a96bf0fe76e8ac761678e80473deb4ac0c39fd540abd33f2b0c7b98774e5aa \
gpg: DBG:         ec234495d30245076cc0494676f2487f641d4da0ef14c4fc3618d1e3935e9fc7
gpg: DBG:      s: 0ca4d52d4ba2555e120e5516ba8a5e601faf0dbbfd5c10d0dfe79eb7b56ad15c
gpg: DBG: ecc_verify    => Good
gpg: DBG: chan_3 -> KS_PUT
gpg: DBG: chan_3 <- INQUIRE KEYBLOCK
gpg: DBG: chan_3 -> [ 44 20 98 33 04 62 c2 c9 45 16 09 2b 06 01 04 01 ...(471 byte(s) skipped) ]
gpg: DBG: chan_3 -> END
gpg: DBG: chan_3 <- INQUIRE KEYBLOCK_INFO
gpg: DBG: chan_3 -> D pub::255:22:E9083485235552BB:1656932677:1659524677:::::::::::::%0Afpr:::::::::965903AAE5C10D90CF2D0BBFE9083485235552BB:%0Auid:::::1656932677::::systemd-resolved-test (Test key) <systemd-resolved@just.a.test>:::::::::%0Asub::255:18:1D0E4A07E3C7E3F5:1656932677:1659524677:::::::::::::%0Afpr:::::::::035BF81DA48496D9FCE93C811D0E4A07E3C7E3F5:%0A
gpg: DBG: chan_3 -> END
gpg: DBG: chan_3 <- S PROGRESS tick ? 0 0
gpg: DBG: chan_3 <- OK
gpg: DBG: free_packet() type=6
gpg: DBG: free_packet() type=13
gpg: DBG: free_packet() type=2
gpg: DBG: free_packet() type=14
gpg: DBG: free_packet() type=2
gpg: DBG: chan_3 -> BYE
gpg: DBG: [no clock] stop
gpg: keydb: handles=1 locks=0 parse=1 get=1
gpg:        build=0 update=0 insert=0 delete=0
gpg:        reset=0 found=1 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=2 cached=0 good=0 bad=0
gpg: objcache: keys=0/0/0 chains=0,0..0 buckets=0/0 attic=0
gpg: objcache: uids=0/0/0 chains=0,0..0 buckets=0/0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
              outmix=0 getlvl1=0/0 getlvl2=0/0
gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

[yuwata]

@Tachi107 I tried with 9.9.9.9 and both DNSOverTLS and DNSSEC are enabled.
Also, I cannot reproduce the issue reported at #23289 (comment).

[Tachi107]

Uhm, strange... I'll try to reproduce it on non-Debian systems.

[Tachi107]

I've been able to reproduce this on Fedora 36 Live (bare metal, not VM). I've encountered all the issues I described above. The commands were run on a clean Live image, and the only things I changed from the default system config were some resolved settings to enable DNSSEC and DoT.

$ cat /etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve]
DNS=9.9.9.9#dns.quad9.net
DNSOverTLS=yes

$ cat /etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=yes

$ resolvectl --version
systemd 250 (v250.3-8.fc36)
+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified

$ resolvectl flush-caches

$ gpg --keyserver pgp.surf.nl --send-keys 4DFB675E669CBB97C7B56AC72EB75202983682D7
gpg: sending key 2EB75202983682D7 to hkp://pgp.surf.nl
gpg: keyserver send failed: Server indicated a failure
gpg: keyserver send failed: Server indicated a failure

$ delv +mtrace +vtrace apps.fedoraproject.org
;; fetch: apps.fedoraproject.org/A
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  17794
;; flags: qr tc rd ra ad; QUESTION: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org.		IN	A

;; ANSWER SECTION:
;apps.fedoraproject.org.	269	IN	CNAME	wildcard.fedoraproject.org.
;apps.fedoraproject.org.	269	IN	RRSIG	CNAME 14 3 300 (
;						20220730141214 20220630141214 60624 fedoraproject.org.
;						r/zBHuC4AMeNCuxGb9QErCMbFtIi
;						DneL+E0hhUAB3moTGjljqZm/lhj4
;						pxI8Nv0OOIChsq9vD3ne+c44vHeO
;						NPGnNjE3pCSgJhe9lDYdO+ldWNkd
;						Jh4uUdq5nx73haFT )
;wildcard.fedoraproject.org. 58	IN	A	152.19.134.198
;wildcard.fedoraproject.org. 58	IN	A	85.236.55.6
;wildcard.fedoraproject.org. 58	IN	A	18.159.254.57
;wildcard.fedoraproject.org. 58	IN	A	18.133.140.134
;wildcard.fedoraproject.org. 58	IN	A	152.19.134.142
;wildcard.fedoraproject.org. 58	IN	A	185.141.165.254
;wildcard.fedoraproject.org. 58	IN	A	38.145.60.21
;wildcard.fedoraproject.org. 58	IN	A	18.192.40.85
;wildcard.fedoraproject.org. 58	IN	A	209.132.190.2
;wildcard.fedoraproject.org. 58	IN	RRSIG	A 14 3 60 (
;						20220730141214 20220630141214 60624 fedoraproject.org.
;						qm92mLmhexhwRgLziQPVljw19V3t
;						el6nQ9xrlZ1SdnNtqsftco3GTypH
;						0msXRdnsFxkZB/S5LsD48xQb7qta
;						xvh4GFd5mYMRroIH40A+k47OJ6+i
;						afcjCsAqGG25TmdB )


;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  47087
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org.		IN	A

;; ANSWER SECTION:
;apps.fedoraproject.org.	57	IN	CNAME	wildcard.fedoraproject.org.
;apps.fedoraproject.org.	57	IN	RRSIG	CNAME 14 3 300 (
;						20220730141214 20220630141214 60624 fedoraproject.org.
;						r/zBHuC4AMeNCuxGb9QErCMbFtIi
;						DneL+E0hhUAB3moTGjljqZm/lhj4
;						pxI8Nv0OOIChsq9vD3ne+c44vHeO
;						NPGnNjE3pCSgJhe9lDYdO+ldWNkd
;						Jh4uUdq5nx73haFT )
;wildcard.fedoraproject.org. 57	IN	A	38.145.60.21
;wildcard.fedoraproject.org. 57	IN	A	85.236.55.6
;wildcard.fedoraproject.org. 57	IN	A	152.19.134.198
;wildcard.fedoraproject.org. 57	IN	A	185.141.165.254
;wildcard.fedoraproject.org. 57	IN	A	18.159.254.57
;wildcard.fedoraproject.org. 57	IN	A	152.19.134.142
;wildcard.fedoraproject.org. 57	IN	A	18.192.40.85
;wildcard.fedoraproject.org. 57	IN	A	38.145.60.20
;wildcard.fedoraproject.org. 57	IN	A	18.133.140.134
;wildcard.fedoraproject.org. 57	IN	A	209.132.190.2
;wildcard.fedoraproject.org. 57	IN	RRSIG	A 14 3 60 (
;						20220730141214 20220630141214 60624 fedoraproject.org.
;						qm92mLmhexhwRgLziQPVljw19V3t
;						el6nQ9xrlZ1SdnNtqsftco3GTypH
;						0msXRdnsFxkZB/S5LsD48xQb7qta
;						xvh4GFd5mYMRroIH40A+k47OJ6+i
;						afcjCsAqGG25TmdB )


;; validating apps.fedoraproject.org/CNAME: starting
;; validating apps.fedoraproject.org/CNAME: attempting positive response validation
;; fetch: fedoraproject.org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  58670
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org.		IN	DNSKEY

;; ANSWER SECTION:
;fedoraproject.org.	222	IN	DNSKEY	257 3 14 (
;						7ttmhus8JD56ybsvMVZVsXa3U2R+
;						2+WmOPIP7BU6t2LicosMZ2Ju3pfv
;						ijsa5LvBvVCB4xVtLSqEdLSvW4vJ
;						PLSAB2uyJwHPJMezh0SzGmVCImLU
;						6qDxsxjHqtZ76/Sf
;						) ; KSK; alg = ECDSAP384SHA384 ; key id = 58125
;fedoraproject.org.	222	IN	DNSKEY	256 3 14 (
;						04ZsDOgyzs3kJsJ4jEY3MYufkCOW
;						m1OI8N4M+dlBOBmweln0TSaKfafH
;						zNCkaPiVG4bdgdnrzwxmjpK5GQgs
;						iB47np+I8850Ea3EJG5ORDl3f//l
;						rr92HiYh5DxCNhkG
;						) ; ZSK; alg = ECDSAP384SHA384 ; key id = 60624
;fedoraproject.org.	222	IN	RRSIG	DNSKEY 14 2 300 (
;						20220730141214 20220630141214 58125 fedoraproject.org.
;						kh7KSKFrOxnB/po/koxjc40SAyMR
;						muwMXYjw6bwopP79lbNVKECz2JXs
;						0/OzJ5K5JMVI+AzqaatM5V8ZXTg5
;						+sZ0tEEBOxWp5W6L5ih/+GCp9Qmw
;						3VfSOuhV3dI9+j0V )


;; validating fedoraproject.org/DNSKEY: starting
;; validating fedoraproject.org/DNSKEY: attempting positive response validation
;; fetch: fedoraproject.org/DS
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2113
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org.		IN	DS

;; ANSWER SECTION:
;fedoraproject.org.	2190	IN	DS	58125 14 2 (
;						FCC70DB7608C9837F060D6D92DF9
;						E53A22D1F830752B9E7038FC48EA
;						411DFF46 )
;fedoraproject.org.	2190	IN	RRSIG	DS 8 2 3600 (
;						20220730152415 20220709142415 52626 org.
;						aYd/MkjeQqJk3BT/VM/Rcqz1NPB9
;						hqCgb35fSpBhgw06NYuHbIXQ6dXI
;						xJ3eF4xXOt3pW5TrryfEaJzKpXWS
;						fnUlSxMjepzMw9D17U+unySTuy2Z
;						WuOgVM/PbUGPY+oULlt81SP4JKFA
;						/W7g7qY7xdBRizX9JUpv5YzbzExz
;						64g= )


;; validating fedoraproject.org/DS: starting
;; validating fedoraproject.org/DS: attempting positive response validation
;; fetch: org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:  45331
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;org.				IN	DNSKEY


;; validating fedoraproject.org/DS: in fetch_callback_dnskey
;; validating fedoraproject.org/DS: fetch_callback_dnskey: got SERVFAIL
;; broken trust chain resolving 'fedoraproject.org/DS/IN': 127.0.0.53#53
;; validating fedoraproject.org/DNSKEY: in fetch_callback_ds
;; validating fedoraproject.org/DNSKEY: fetch_callback_ds: got broken trust chain
;; broken trust chain resolving 'fedoraproject.org/DNSKEY/IN': 127.0.0.53#53
;; validating apps.fedoraproject.org/CNAME: in fetch_callback_dnskey
;; validating apps.fedoraproject.org/CNAME: fetch_callback_dnskey: got broken trust chain
;; broken trust chain resolving 'apps.fedoraproject.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain