[dns-operations] DNSSEC disabling on systemd/Ubuntu required?

Pieter Lexis pieter.lexis at powerdns.com
Fri Apr 21 13:39:06 UTC 2017

Hi Stephane,

On Fri, 21 Apr 2017 15:13:31 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

> I have no information about this bug, and the suggested
> workaround. Anyone can share details?
> https://twitter.com/machms/status/855134897102622725
> Internet doesn't work anymore after upgrading #ubuntu to 17.04 #zesty version? Add
> 'DNSSEC=off' to /etc/systemd/resolved.conf and reboot.

This might be because of the upstream resolver (from e.g. the ISP) choking on +DO queries (by e.g. NOT reponding or sending SERVFAIL). Systemd-resolved[0] has an "allow-downgrade" as an option for the DNSSEC setting[1]. I have a feeling DNSSEC is set to "yes" in Ubuntu 17.04.

0 - https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
1 - https://www.freedesktop.org/software/systemd/man/resolved.conf.html#DNSSEC=

Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the dns-operations mailing list