Giter Club home page Giter Club logo

systemd-resolved-20180811's Introduction

What happened?

This is a collection of logs for my attempt dig @127.0.0.53 slave.www.nosec.makotom.net +dnssec using systemd-resolved (in systemd 239) with DNSSEC=yes as a global option. Although I expect 192.0.2.2 as a response, I actually get SERVFAIL as a response.

Note that I have the following zones and records with DNSSEC disabled:

Zone nosec.makotom.net:

  • nosec.makotom.net -> SOA ns1.he.net
  • www.nosec.makotom.net -> CNAME master.www.nosec.makotom.net
  • master.www.nosec.makotom.net -> NS ns1.he.net (+ other slave name servers)
  • slave.www.nosec.makotom.net -> NS ns1.he.net (+ other slave name servers)

Zone master.www.nosec.makotom.net

  • master.www.nosec.makotom.net -> SOA ns1.he.net
  • master.www.nosec.makotom.net -> A 192.0.2.1

Zone slave.www.nosec.makotom.net

  • slave.www.nosec.makotom.net -> SOA ns1.he.net
  • slave.www.nosec.makotom.net -> A 192.0.2.2

From these logs, we can see that validation of master.www.nosec.makotom.net is required for validation of www.nosec.makotom.net IN SOA. This is obviously redundant and broken, because master.www.nosec.makotom.net is apparently a child (i.e. a sub-zone or a simple record name) of the zone for www.nosec.makotom.net, and it should not affect processes for its parents - i.e. the validation of www.nosec.makotom.net IN SOA.

I also understand that 1) the recursive name server adds master.www.nosec.makotom.net IN SOA to a response for www.nosec.makotom.net IN SOA (which happens with my private BIND recursive server as well), and that 2) the resolver seems to get confused as a result. I also confirmed that this does not happen with systemd 232, but 239.

Impact of this issue

Due to this issue, you may fail to open per-region AWS control panel (*.console.aws.amazon.com), because console.aws.amazon.com IN SOA fails for the same logic.

systemd-resolved-20180811's People

Contributors

makotom avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.