resolved queries without DO set and then dies with `DNSSEC validation failed: no-signature`

[ukleinek]

systemd version the issue has been seen with

267.2-1

Used distribution

Debian testing/unstable

Linux kernel version used

6.12.6-amd64

CPU architectures issue was seen on

x86_64

Component

systemd-resolved

Expected behaviour you didn't see

algol.kleine-koenig.org: fdb0:5279:7365::1     -- link: kk3vpn
                         192.168.128.1         -- link: kk3vpn

-- Information acquired via protocol DNS in 32.5ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: no
-- Data from: network

Unexpected behaviour you saw

algol.kleine-koenig.org: resolve call failed: DNSSEC validation failed: no-signature

Steps to reproduce the problem

It's not reliably reproducible for me. It tends to happen after a suspend/resume cycle. If it happens it persists until resolved is restarted.

Link 3 (kk3vpn)
    Current Scopes: DNS
         Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: fdb0:5279:7365:350::1
       DNS Servers: fdb0:5279:7365:350::1
        DNS Domain: kleine-koenig.org
     Default Route: no

I wiresharked DNS traffic and in the failing case, the queries sent to fdb0:5279:7365:350::1 don't have the DO flag set, so it's not a big surprise that the DNS server doesn't include DNSSEC RR info in the reply. If helpful I can provide a wireshark dump with the requests and replies in the broken case.

Additional program output to the terminal or log subsystem illustrating the issue

Mar 07 06:38:21 taurus systemd-resolved[1648312]: Got message type=method_call sender=:1.6635 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname  cookie=2 reply_cookie=0 signature=isit error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: idn2_lookup_u8: algol.kleine-koenig.org → algol.kleine-koenig.org
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionCredentials cookie=1279 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.5491 path=n/a interface=n/a member=n/a  cookie=279 reply_cookie=1279 signature=a{sv} error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: D-Bus hostname resolution request from client PID 3085236 (resolvectl) with UID 1000
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Looking up RR for algol.kleine-koenig.org IN A.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Looking up RR for algol.kleine-koenig.org IN AAAA.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=1280 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=1281 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.5491 path=n/a interface=n/a member=n/a  cookie=281 reply_cookie=1281 signature=s error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Cache miss for algol.kleine-koenig.org IN A
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Firing regular transaction 30370 for <algol.kleine-koenig.org IN A> scope dns on kk3vpn/* (validate=yes).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using feature level UDP for transaction 30370.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using DNS server fdb0:5279:7365:350::1 for transaction 30370.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Closing graveyard socket fd 16
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Emitting UDP, link MTU is 1420, socket MTU is 0, minimal MTU is 60
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sending query packet with id 30370 of size 41.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Cache miss for algol.kleine-koenig.org IN AAAA
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Firing regular transaction 58172 for <algol.kleine-koenig.org IN AAAA> scope dns on kk3vpn/* (validate=yes).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using feature level UDP for transaction 58172.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using DNS server fdb0:5279:7365:350::1 for transaction 58172.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Emitting UDP, link MTU is 1420, socket MTU is 0, minimal MTU is 60
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sending query packet with id 58172 of size 41.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.5491 path=n/a interface=n/a member=n/a  cookie=280 reply_cookie=1280 signature=n/a error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Match type='signal',sender='org.freedesktop.DBus',path='/org/freedesktop/DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.6635' successfully installed.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Received dns UDP packet of size 57, ifindex=3, ttl=0, fragsize=0, sender=fdb0:5279:7365:350::1, destination=fdb0:5279:7365:350::b
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Processing incoming packet of size 57 on transaction 30370 (rcode=SUCCESS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting DS to validate transaction 30370 (algol.kleine-koenig.org, unsigned non-SOA/NS RRset <algol.kleine-koenig.org IN A 192.168.128.1>).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Cache miss for algol.kleine-koenig.org IN DS
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Firing regular transaction 10945 for <algol.kleine-koenig.org IN DS> scope dns on kk3vpn/* (validate=yes).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using feature level UDP for transaction 10945.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using DNS server fdb0:5279:7365:350::1 for transaction 10945.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Emitting UDP, link MTU is 1420, socket MTU is 0, minimal MTU is 60
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sending query packet with id 10945 of size 41.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Received dns UDP packet of size 69, ifindex=3, ttl=0, fragsize=0, sender=fdb0:5279:7365:350::1, destination=fdb0:5279:7365:350::b
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Processing incoming packet of size 69 on transaction 58172 (rcode=SUCCESS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting DS to validate transaction 58172 (algol.kleine-koenig.org, unsigned non-SOA/NS RRset <algol.kleine-koenig.org IN AAAA fdb0:5279:7365::1>).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Received dns UDP packet of size 92, ifindex=3, ttl=0, fragsize=0, sender=fdb0:5279:7365:350::1, destination=fdb0:5279:7365:350::b
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Processing incoming packet of size 92 on transaction 10945 (rcode=SUCCESS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting DS (→ kleine-koenig.org) to validate transaction 10945 (algol.kleine-koenig.org empty response).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Cache miss for kleine-koenig.org IN DS
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Firing regular transaction 43941 for <kleine-koenig.org IN DS> scope dns on kk3vpn/* (validate=yes).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using feature level UDP for transaction 43941.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using DNS server fdb0:5279:7365:350::1 for transaction 43941.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Emitting UDP, link MTU is 1420, socket MTU is 0, minimal MTU is 60
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sending query packet with id 43941 of size 35.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Received dns UDP packet of size 83, ifindex=3, ttl=0, fragsize=0, sender=fdb0:5279:7365:350::1, destination=fdb0:5279:7365:350::b
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Processing incoming packet of size 83 on transaction 43941 (rcode=SUCCESS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting parent DS to validate transaction 43941 (kleine-koenig.org, unsigned CNAME/DNAME/DS RRset).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Cache miss for org IN DS
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Firing regular transaction 42875 for <org IN DS> scope dns on kk3vpn/* (validate=yes).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using feature level UDP for transaction 42875.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Using DNS server fdb0:5279:7365:350::1 for transaction 42875.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Emitting UDP, link MTU is 1420, socket MTU is 0, minimal MTU is 60
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sending query packet with id 42875 of size 21.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Received dns UDP packet of size 69, ifindex=3, ttl=0, fragsize=0, sender=fdb0:5279:7365:350::1, destination=fdb0:5279:7365:350::b
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Processing incoming packet of size 69 on transaction 42875 (rcode=SUCCESS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting parent DS to validate transaction 42875 (org, unsigned CNAME/DNAME/DS RRset).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Requesting root zone SOA to probe dnssec support.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Positive cache hit for . IN SOA
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 7278 for <. IN SOA> on scope dns on kk3vpn/* now complete with <success> from cache (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Validating response from transaction 42875 (org IN DS).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Looking at org IN DS 26974 8 2 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Found verdict for lookup org IN DS: bogus
Mar 07 06:38:21 taurus systemd-resolved[1648312]: DNSSEC validation failed for question org IN DS: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 42875 for <org IN DS> on scope dns on kk3vpn/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Auxiliary DNSSEC RR query failed validation: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: DNSSEC validation failed for question kleine-koenig.org IN DS: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 43941 for <kleine-koenig.org IN DS> on scope dns on kk3vpn/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Auxiliary DNSSEC RR query failed validation: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: DNSSEC validation failed for question algol.kleine-koenig.org IN DS: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 10945 for <algol.kleine-koenig.org IN DS> on scope dns on kk3vpn/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Auxiliary DNSSEC RR query failed validation: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: DNSSEC validation failed for question algol.kleine-koenig.org IN A: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 30370 for <algol.kleine-koenig.org IN A> on scope dns on kk3vpn/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Auxiliary DNSSEC RR query failed validation: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: DNSSEC validation failed for question algol.kleine-koenig.org IN AAAA: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Regular transaction 58172 for <algol.kleine-koenig.org IN AAAA> on scope dns on kk3vpn/* now complete with <dnssec-failed> from network (unsigned; non-confidential).
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 30370.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sent message type=error sender=n/a destination=:1.6635 path=n/a interface=n/a member=n/a cookie=1282 reply_cookie=2 signature=s error-name=org.freedesktop.resolve1.DnssecFailed error-message=DNSSEC validation failed: no-signature
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=1283 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 58172.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 10945.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 43941.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 42875.
Mar 07 06:38:21 taurus systemd-resolved[1648312]: Freeing transaction 7278.

[ukleinek]

Some more details:

• when it fails it affects both signed and unsigned DNS records
• resolvectl reset-server-features is enough to cure the problem (until it triggers next time)