On Sat, Apr 04, 2020 at 10:41:31AM +0300, Fanis Dokianakis wrote: > I confirm that this bug exists after upgrading systemd. Systemd-resolved > *sometimes* does not downgrade and SERVERFAILS on all domains that do not > have a signature dns record.
That's not what "allow-downgrade" means. The downgrade happens when the configured DNS server does not support DNSSEC, not when some domain has an invalid signature. > The error with resolvectl query is > $ resolvectl query example.domain > example.domain: resolve call failed: DNSSEC validation failed: no-signature Please give an actual domain name that fails resolution. Not providing a reproducer just makes this harder for anyone trying to resolve this. Zbyszek
