systemd-resolved breaks delv #25105
Description
systemd version the issue has been seen with
251.6-2-arch
Used distribution
arch
Linux kernel version used
6.0.2-arch1-1
CPU architectures issue was seen on
x86_64
Component
systemd-resolved
Expected behaviour you didn't see
$ delv apps.fedoraproject.org
; fully validated
....
Unexpected behaviour you saw
$ delv apps.fedoraproject.org
;; broken trust chain resolving 'fedoraproject.org/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'fedoraproject.org/DNSKEY/IN': 127.0.0.53#53
;; broken trust chain resolving 'apps.fedoraproject.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
Steps to reproduce the problem
$ delv apps.fedoraproject.org
Additional program output to the terminal or log subsystem illustrating the issue
$ resolvectl --version
systemd 251 (251.6-2-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified
$ resolvectl status
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: stub
DNS Domain: lan
Link 3 (wlan0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 192.168.2.1
DNS Servers: 192.168.2.1 fdf3:a6d5:a50f::1 fd86:91bf:30a1::1
$ resolvectl flush-caches
$ delv +mtrace +vtrace apps.fedoraproject.org
;; fetch: apps.fedoraproject.org/A
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48514
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;apps.fedoraproject.org. IN A
;; ANSWER SECTION:
;apps.fedoraproject.org. 177 IN CNAME wildcard.fedoraproject.org.
;apps.fedoraproject.org. 177 IN RRSIG CNAME 14 3 300 (
; 20221120193220 20221021193220 60624 fedoraproject.org.
; YdRQi4ztP+2/1neyIAXgSwlMMZmh
; OFS5Wm3C6PamLyo+c+h5RnOSt/IT
; NeVGT0CZGSQhW0CnDGhmBAzjkgBN
; 7Nd8o7C1ZaHSsWy+M+EOqgSxzo0e
; uC1pUYARoKHlD60A )
;wildcard.fedoraproject.org. 13 IN A 67.219.144.68
;wildcard.fedoraproject.org. 13 IN A 140.211.169.196
;wildcard.fedoraproject.org. 13 IN A 152.19.134.142
;wildcard.fedoraproject.org. 13 IN A 152.19.134.198
;wildcard.fedoraproject.org. 13 IN A 209.132.190.2
;wildcard.fedoraproject.org. 13 IN A 8.43.85.67
;wildcard.fedoraproject.org. 13 IN A 8.43.85.73
;wildcard.fedoraproject.org. 13 IN A 38.145.60.20
;wildcard.fedoraproject.org. 13 IN A 38.145.60.21
;wildcard.fedoraproject.org. 13 IN RRSIG A 14 3 60 (
; 20221120193220 20221021193220 60624 fedoraproject.org.
; 87mhYrfRA9Pt7nSyB6BBD1uSRbPL
; IpOQyY/IVEoEIiIDYJFcEnZrXBuw
; DSZZJbOzVxmiPQxH1FFusRk8+HmS
; F8p0K/IsDCaK53Yzjezcr4rTU8HR
; wsl4urgYqoyqdJgs )
;; validating apps.fedoraproject.org/CNAME: starting
;; validating apps.fedoraproject.org/CNAME: attempting positive response validation
;; fetch: fedoraproject.org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43921
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org. IN DNSKEY
;; ANSWER SECTION:
;fedoraproject.org. 249 IN DNSKEY 257 3 14 (
; 7ttmhus8JD56ybsvMVZVsXa3U2R+
; 2+WmOPIP7BU6t2LicosMZ2Ju3pfv
; ijsa5LvBvVCB4xVtLSqEdLSvW4vJ
; PLSAB2uyJwHPJMezh0SzGmVCImLU
; 6qDxsxjHqtZ76/Sf
; ) ; KSK; alg = ECDSAP384SHA384 ; key id = 58125
;fedoraproject.org. 249 IN DNSKEY 256 3 14 (
; 04ZsDOgyzs3kJsJ4jEY3MYufkCOW
; m1OI8N4M+dlBOBmweln0TSaKfafH
; zNCkaPiVG4bdgdnrzwxmjpK5GQgs
; iB47np+I8850Ea3EJG5ORDl3f//l
; rr92HiYh5DxCNhkG
; ) ; ZSK; alg = ECDSAP384SHA384 ; key id = 60624
;fedoraproject.org. 249 IN RRSIG DNSKEY 14 2 300 (
; 20221120193220 20221021193220 58125 fedoraproject.org.
; YshqiYHxPz43PSeWQUbqj8bAqTHR
; 5T+1NcjnOwD7V8Oj2rSHEfOOug6Q
; Z+YRWjjvdVQUXa0wLuAIEhw4N0Vw
; QdDQELvlIhfRqNZd4di47Z37Ke+h
; t2JWe3wFwhcpYgi8 )
;; validating fedoraproject.org/DNSKEY: starting
;; validating fedoraproject.org/DNSKEY: attempting positive response validation
;; fetch: fedoraproject.org/DS
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61908
;; flags: qr rd ra ad; QUESTION: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;fedoraproject.org. IN DS
;; ANSWER SECTION:
;fedoraproject.org. 2121 IN DS 58125 14 2 (
; FCC70DB7608C9837F060D6D92DF9
; E53A22D1F830752B9E7038FC48EA
; 411DFF46 )
;fedoraproject.org. 2121 IN RRSIG DS 8 2 3600 (
; 20221107152444 20221017142444 29166 org.
; gjmwP3POEOVSI2e9f4xfRbSGe5CY
; 2ndVwzK/PJN2PX/GGGsB4njHDxcf
; 12THGYQM+T4p4hDE85Bvz0tsy8Km
; /JjeTYE3qqpQzVI7dIWFrhiQNOJO
; wYKwntKUbWztmL2Y9xPx8WheO5+U
; SliVmNX7J/06af44801yUlsD1UCi
; xjg= )
;; validating fedoraproject.org/DS: starting
;; validating fedoraproject.org/DS: attempting positive response validation
;; fetch: org/DNSKEY
;; received packet from 127.0.0.53#53
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32311
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;org. IN DNSKEY
;; validating fedoraproject.org/DS: in fetch_callback_dnskey
;; validating fedoraproject.org/DS: fetch_callback_dnskey: got SERVFAIL
;; broken trust chain resolving 'fedoraproject.org/DS/IN': 127.0.0.53#53
;; validating fedoraproject.org/DNSKEY: in fetch_callback_ds
;; validating fedoraproject.org/DNSKEY: fetch_callback_ds: got broken trust chain
;; broken trust chain resolving 'fedoraproject.org/DNSKEY/IN': 127.0.0.53#53
;; validating apps.fedoraproject.org/CNAME: in fetch_callback_dnskey
;; validating apps.fedoraproject.org/CNAME: fetch_callback_dnskey: got broken trust chain
;; broken trust chain resolving 'apps.fedoraproject.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
$ resolvectl flush-caches
$ delv @192.168.2.1 apps.fedoraproject.org
; fully validated
apps.fedoraproject.org. 151 IN CNAME wildcard.fedoraproject.org.
apps.fedoraproject.org. 151 IN RRSIG CNAME 14 3 300 20221120193220 20221021193220 60624 fedoraproject.org. YdRQi4ztP+2/1neyIAXgSwlMMZmhOFS5Wm3C6PamLyo+c+h5RnOSt/IT NeVGT0CZGSQhW0CnDGhmBAzjkgBN7Nd8o7C1ZaHSsWy+M+EOqgSxzo0e uC1pUYARoKHlD60A
wildcard.fedoraproject.org. 60 IN A 152.19.134.142
wildcard.fedoraproject.org. 60 IN A 152.19.134.198
wildcard.fedoraproject.org. 60 IN A 209.132.190.2
wildcard.fedoraproject.org. 60 IN A 8.43.85.67
wildcard.fedoraproject.org. 60 IN A 8.43.85.73
wildcard.fedoraproject.org. 60 IN A 38.145.60.20
wildcard.fedoraproject.org. 60 IN A 38.145.60.21
wildcard.fedoraproject.org. 60 IN A 67.219.144.68
wildcard.fedoraproject.org. 60 IN A 140.211.169.196
wildcard.fedoraproject.org. 60 IN RRSIG A 14 3 60 20221120193220 20221021193220 60624 fedoraproject.org. 87mhYrfRA9Pt7nSyB6BBD1uSRbPLIpOQyY/IVEoEIiIDYJFcEnZrXBuw DSZZJbOzVxmiPQxH1FFusRk8+HmSF8p0K/IsDCaK53Yzjezcr4rTU8HR wsl4urgYqoyqdJgs