This is also causing strongswan vs systemd/257.7-1ubuntu3 autopkgtest failures in the host-to-host test [1]:
[ ... ] Loading creds in container sun 871s loaded certificate from '/etc/swanctl/x509/sunCert.pem' 871s loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem' 871s loaded ED25519 key from '/etc/swanctl/private/sunKey.pem' 871s Loading connections in container sun 871s loaded connection 'sun-moon' 871s successfully loaded 1 connections, 0 unloaded 871s Generating traffic from moon to sun 871s ping: sun.lxd: Temporary failure in name resolution 871s Something failed, gathering debug info [ ... ] [1] https://autopkgtest.ubuntu.com/results/autopkgtest- questing/questing/amd64/s/strongswan/20250802_043325_5ea6b@/log.gz ** Also affects: strongswan (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2119652 Title: systemd-resolved-dnssec breaks name resolution on lxd domain Status in strongswan package in Ubuntu: New Status in systemd package in Ubuntu: Confirmed Bug description: By default, LXD containers will be configured with DNS pointing to the server listening on lxdbr0 on the host. The DHCP leases additionally configure the 'lxd' domain. LXD starts a dnsmasq server which is DNSSEC compatible, but by default is not actually configured for DNSSEC. This leads to DNSSEC validation errors as seen below: root@q1:~# apt policy systemd-resolved-dnssec systemd-resolved-dnssec: Installed: 257.7-1ubuntu3 Candidate: 257.7-1ubuntu3 Version table: *** 257.7-1ubuntu3 100 100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 Packages 100 /var/lib/dpkg/status root@q1:~# resolvectl Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: stub Link 47 (eth0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported Current DNS Server: 10.148.181.1 DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 fe80::216:3eff:fed9:e3c1 DNS Domain: lxd Default Route: yes root@q1:~# ping q2.lxd ping: q2.lxd: Temporary failure in name resolution root@q1:~# nslookup q2 ;; Got SERVFAIL reply from 127.0.0.53 Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find q2.lxd: SERVFAIL root@q1:~# resolvectl dnssec eth0 no root@q1:~# nslookup q2 Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: q2.lxd Address: 10.148.181.44 Name: q2.lxd Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c root@q1:~# ping -c 1 q2.lxd PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes 64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 ttl=64 time=0.205 ms --- q2.lxd ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC validation failed" Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN DS: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN A: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN DS: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN AAAA: no-signature Aug 06 14:15:33 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q1.lxd IN A: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN A: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN A: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN AAAA: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN DS: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN A: no-signature Aug 06 14:16:21 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd.lxd IN AAAA: no-signature Aug 06 14:16:25 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question lxd IN DS: no-signature Aug 06 14:16:25 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN DS: no-signature Aug 06 14:16:25 q1 systemd-resolved[1526]: [π‘] DNSSEC validation failed for question q2.lxd IN A: no-signature Again, since the dnsmasq server listening on lxdbr0 is DNSSEC *compatible*, the downgrade logic implied by DNSSEC=allow-downgrade does not kick in. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/2119652/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
