[dns-operations] DNSSEC disabling on systemd/Ubuntu required?
Pieter Lexis
pieter.lexis at powerdns.com
Fri Apr 21 13:39:06 UTC 2017
Hi Stephane,
On Fri, 21 Apr 2017 15:13:31 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
> I have no information about this bug, and the suggested
> workaround. Anyone can share details?
>
> https://twitter.com/machms/status/855134897102622725
>
> Internet doesn't work anymore after upgrading #ubuntu to 17.04 #zesty version? Add
> 'DNSSEC=off' to /etc/systemd/resolved.conf and reboot.
This might be because of the upstream resolver (from e.g. the ISP) choking on +DO queries (by e.g. NOT reponding or sending SERVFAIL). Systemd-resolved[0] has an "allow-downgrade" as an option for the DNSSEC setting[1]. I have a feeling DNSSEC is set to "yes" in Ubuntu 17.04.
0 - https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
1 - https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSSEC=
--
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com
More information about the dns-operations
mailing list