systemd-resolved includes response in SERVFAIL answer in case of dnssec bogus

[pemensik]

systemd version the issue has been seen with

251.4

Used distribution

Fedora 37

Linux kernel version used

No response

CPU architectures issue was seen on

x86_64

Component

systemd-resolved

Expected behaviour you didn't see

My upstream VM dnsmasq:

; <<>> DiG 9.18.5 <<>> dnssec-failed.org @192.168.122.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 6 (DNSSEC Bogus)
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; Query time: 0 msec
;; SERVER: 192.168.122.1#53(192.168.122.1) (UDP)
;; WHEN: Mon Sep 26 17:41:02 EDT 2022
;; MSG SIZE  rcvd: 52

Unexpected behaviour you saw

• systemd-resolved creates hybrid response with answer AND status: SERVFAIL at the same time

; <<>> DiG 9.18.5 <<>> dnssec-failed.org @127.0.0.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3675
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; ANSWER SECTION:
dnssec-failed.org.	281	IN	A	96.99.227.255

;; Query time: 2 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Sep 26 17:36:11 EDT 2022
;; MSG SIZE  rcvd: 62

• I think it violates https://www.rfc-editor.org/rfc/rfc4035.html#section-5.5
• Also https://www.rfc-editor.org/rfc/rfc4035.html#section-4.7

Steps to reproduce the problem

• Enabled DNSSEC=yes in resolved.conf
• systemctl restart systemd-resolved
• dig @127.0.0.53 dnssec-failed.org

I think

Additional program output to the terminal or log subsystem illustrating the issue

No response

[pemensik]

interesting is similar sites servfail.nl and rhybar.cz do not produce answers containing also address, but dnssec-failed.org does so reliably. Not sure what is the exact difference.

[3mpSh4ner]

Could reproduce under fedora 37 as well.
There is only one difference between the domain processing i could find.
It's not evaluating the SOA for the dnssec-failed.org domain, which he uses for the authorative answer.

Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 16139 for <. IN DNSKEY> on scope dns on wlp1s0/* now complete with <success> from cache (authenticated; non-confidential).
Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 27748 for <org IN DS> on scope dns on wlp1s0/* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 36433 for <org IN DNSKEY> on scope dns on wlp1s0/* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 14910 for <dnssec-failed.org IN DS> on scope dns on wlp1s0/* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 46239 for <dnssec-failed.org IN DNSKEY> on scope dns on wlp1s0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Sep 27 22:50:50 fedora systemd-resolved[9422]: Regular transaction 47334 for <dnssec-failed.org IN A> on scope dns on wlp1s0/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 54047 for <. IN DNSKEY> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 21206 for <org IN DS> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 32511 for <org IN DNSKEY> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 15159 for <dnssec-failed.org IN DS> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 15820 for <dnssec-failed.org IN DNSKEY> on scope dns on */* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Sep 27 22:50:51 fedora systemd-resolved[9422]: Regular transaction 43256 for <dnssec-failed.org IN A> on scope dns on */* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 64172 for <. IN DNSKEY> on scope dns on */* now complete with <success> from cache (authenticated; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 51884 for <nl IN DS> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 25910 for <nl IN DNSKEY> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 18766 for <servfail.nl IN DS> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 55704 for <servfail.nl IN DNSKEY> on scope dns on */* now complete with <success> from network (authenticated; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 30752 for <servfail.nl IN SOA> on scope dns on */* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Sep 27 22:55:21 fedora systemd-resolved[9422]: Regular transaction 51589 for <servfail.nl IN A> on scope dns on */* now complete with <dnssec-failed> from network (unsigned; non-confidential

[pva]

Yup, was playing with DNSSEC and wanted DNS resolver with DNSSEC support. I was very pleased to find systemd-resolver supports DNSSEC, but I failed to make it work. So, I even started to think that systemd-resolver does not check DNSSEC for 127.0.0.53, but well... this appears to be a bug.

BTW, I'm unable to resolve servfail.nl and rhybar.cz. So this example is not working atm.

[rathann]

This is also reproducible with at least some Google domains:

$ dig @127.0.0.53 googlehosted.l.googleusercontent.com A +nocdflag +crypto +dnssec +nocmd +identify
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24838
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;googlehosted.l.googleusercontent.com. IN A

;; ANSWER SECTION:
googlehosted.l.googleusercontent.com. 1	IN A	216.58.208.193

;; Query time: 3545 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Tue Dec 19 09:42:29 CET 2023
;; MSG SIZE  rcvd: 81

[pemensik]

Problem with this is for example dig +short dnssec-failed.org will emit just address, even when it received status SERVFAIL. So at least in some cases RCODE is not checked properly. Never seen that happen in other open-source implementations I work with.

[ljbade]

I am also seeing this issue with systemd version 254.6 on NixOS 23.11

I was using the test addresses from https://wander.science/projects/dns/dnssec-resolver-test/

The address that has a SERVFAIL but still got a response:

dig sigfail.ippacket.stream +dnssec

; <<>> DiG 9.18.24 <<>> sigfail.ippacket.stream +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7760
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;sigfail.ippacket.stream.	IN	A

;; ANSWER SECTION:
sigfail.ippacket.stream. 3600	IN	CNAME	sigfail.rsa2048-sha256.ippacket.stream.
sigfail.ippacket.stream. 3600	IN	RRSIG	CNAME 8 3 3600 20240417202316 20240308195821 65045 ippacket.stream. cWiraTm6TpGFjlEI31+7MNvnhm+qDIS1uJ6yt4HWdf/btkmVRTWKVtga ci8HyCQuz7kdVAbvLql97ojLhTkjNXbgQskAXbii0B3Mk+n/TpLl5DlB V8JFBHmbF4tPpipvu/xbSS47hCZ/wgCqromWz5gtKk6FnOa+kCfkslBH LX51TsULADI1FTF6jUMQEgIp4DJefG/21Bn3nLwFxlEGowcP1WTF4REk G3yH5o87PqGdft5aNGeu0J4iIocTSRTU5dzf8HZtcvdeo/iHsYQoqNc4 K+0Qo6efsJkVPqDU1N7KhbHLQIU0C0fjMLyNr+zQwOpj0tHL/iPLPFQh NtilVg==
sigfail.rsa2048-sha256.ippacket.stream.	60 IN A	195.201.14.36

;; ADDITIONAL SECTION:
sigfail.rsa2048-sha256.ippacket.stream.	60 IN RRSIG A 8 4 60 20240410040001 20240229040001 46436 rsa2048-sha256.ippacket.stream. //This+RRSIG+is+deliberately+broken///For+more+informati on+please+go+to/https+//wander+science/projects/dns/dnss ecresolvertest////////////////////////////////////////// //////////////////////////////////////////////////////// //////////////////////////////////////////////////////// //////////////////////////////////////////////////////// /////w==

;; Query time: 2131 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Wed Mar 13 13:28:02 AEDT 2024
;; MSG SIZE  rcvd: 726

From resolved monitor:

→ Q: sigfail.rsa2048-sha256.ippacket.stream IN A
→ Q: sigfail.rsa2048-sha256.ippacket.stream IN AAAA
→ C: sigfail.ippacket.stream IN A
→ C: sigfail.ippacket.stream IN AAAA
← S: dnssec-failed
← A: sigfail.rsa2048-sha256.ippacket.stream IN AAAA 2a01:4f8:13b:2048::113
← A: sigfail.rsa2048-sha256.ippacket.stream IN RRSIG AAAA RSASHA256 4 60 20240410040001 20240229040001 46436 rsa2048-sha256.ippacket.stream
        //This+RRSIG+is+deliberately+broken///For+more+information+please+go+to/https+//wander+science/projects/dns/dnssecresolvertest///////////////////////////////////////////////////
        ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////w==