[Touch-packages] [Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

Lukas Märdian Tue, 26 Aug 2025 05:55:44 -0700

Forwarded to Multipass:
https://github.com/canonical/multipass/issues/4326


** Bug watch added: github.com/canonical/multipass/issues #4326
   https://github.com/canonical/multipass/issues/4326

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/2119652

Title:
  systemd-resolved-dnssec breaks name resolution on lxd domain

Status in lxd:
  New
Status in bind9 package in Ubuntu:
  Invalid
Status in dnsmasq package in Ubuntu:
  Triaged
Status in libvirt package in Ubuntu:
  New
Status in livecd-rootfs package in Ubuntu:
  New
Status in lxd package in Ubuntu:
  New
Status in strongswan package in Ubuntu:
  Fix Released
Status in systemd package in Ubuntu:
  Confirmed

Bug description:
  By default, LXD containers will be configured with DNS pointing to the
  server listening on lxdbr0 on the host. The DHCP leases additionally
  configure the 'lxd' domain. LXD starts a dnsmasq server which is
  DNSSEC compatible, but by default is not actually configured for
  DNSSEC. This leads to DNSSEC validation errors as seen below:

  root@q1:~# apt policy systemd-resolved-dnssec
  systemd-resolved-dnssec:
    Installed: 257.7-1ubuntu3
    Candidate: 257.7-1ubuntu3
    Version table:
   *** 257.7-1ubuntu3 100
          100 http://archive.ubuntu.com/ubuntu questing-proposed/main amd64 
Packages
          100 /var/lib/dpkg/status
  root@q1:~# resolvectl 
  Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
    resolv.conf mode: stub

  Link 47 (eth0)
      Current Scopes: DNS
           Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS 
DNSSEC=allow-downgrade/supported
  Current DNS Server: 10.148.181.1
         DNS Servers: 10.148.181.1 fd42:f983:5882:c87f::1 
fe80::216:3eff:fed9:e3c1
          DNS Domain: lxd
       Default Route: yes
  root@q1:~# ping q2.lxd
  ping: q2.lxd: Temporary failure in name resolution
  root@q1:~# nslookup q2
  ;; Got SERVFAIL reply from 127.0.0.53
  Server:               127.0.0.53
  Address:      127.0.0.53#53

  ** server can't find q2.lxd: SERVFAIL

  root@q1:~# resolvectl dnssec eth0 no
  root@q1:~# nslookup q2
  Server:               127.0.0.53
  Address:      127.0.0.53#53

  Non-authoritative answer:
  Name: q2.lxd
  Address: 10.148.181.44
  Name: q2.lxd
  Address: fd42:f983:5882:c87f:216:3eff:fec5:c96c

  root@q1:~# ping -c 1 q2.lxd
  PING q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c) 56 data bytes
  64 bytes from q2.lxd (fd42:f983:5882:c87f:216:3eff:fec5:c96c): icmp_seq=1 
ttl=64 time=0.205 ms

  --- q2.lxd ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms

  root@q1:~# journalctl -b -u systemd-resolved.service --grep "DNSSEC 
validation failed"
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN A: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN DS: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN AAAA: no-signature
  Aug 06 14:15:33 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q1.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN DS: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN A: no-signature
  Aug 06 14:16:21 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd.lxd IN AAAA: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN DS: no-signature
  Aug 06 14:16:25 q1 systemd-resolved[1526]: [🡕] DNSSEC validation failed for 
question q2.lxd IN A: no-signature

  Again, since the dnsmasq server listening on lxdbr0 is DNSSEC
  *compatible*, the downgrade logic implied by DNSSEC=allow-downgrade
  does not kick in.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lxd/+bug/2119652/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2119652] Re: systemd-resolved-dnssec breaks name resolution on lxd domain

Reply via email to