[dns-operations] diagnosis help: keys.openpgp.org, systemd-resolved, DVE-2018-0001
dnsop+phil at spodhuis.org
Mon Jul 13 19:28:46 UTC 2020
This appears to be "systemd-resolved in default config talking to Google
Domains with DNSSEC asking for a non-existent SRV record", and my
thoughts of "if it were this broken, people would be screaming louder
already, so I must be missing something", so I'm going to walk step by
step through the chain.
On my production systems, I use unbound not systemd-resolved;
unbound-anchor on Linux is too buggy to use so I'm stuck with
systemd-resolved on my laptop.
Normally I keep /etc/systemd/resolved.conf saying "DNSSEC=yes" but if
I've been travelling outside my home, I revert it back to its _default_
of "DNSSEC=allow-downgrade". (Thank you, cellular networks and 464XLAT
With GnuPG trying to talk to keys.openpgp.org I was getting generic
error messages from GnuPG; turning dirmngr logs way up, I could get:
DBG: dns: getsrv(_pgpkey-http._tcp.keys.openpgp.org): Server indicated a failure
With systemd-resolved on its default of allow-downgrade, that matches
this in the resolver logs journal:
Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
DNSSEC validation failed for question _tcp.keys.openpgp.org IN DS: no-signature
DNSSEC validation failed for question _tcp.keys.openpgp.org IN SOA: no-signature
DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN DS: no-signature
DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SOA: no-signature
DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN SRV: no-signature
DNSSEC validation failed for question _pgpkey-http._tcp.keys.openpgp.org IN TXT: no-signature
An analysis of
(with advanced settings used to ask for SRV) shows no DNSSEC complaints.
Upstream from the systemd-resolved process are two current Unbound
servers (1.10.1) and third in the list is also a Knot resolver (5.1.1).
The DNS authoritative servers for openpgp.org are delegating
`keys.openpgp.org` to `ns-cloud-a1.googledomains.com.` and friends (a1
I'm not seeing any misbehavior from the authoritative servers at any
level, but I'm not seeing why the look for something legitimately
returning NXDOMAIN would need to trigger whatever's going on here and
I'm not following the logic at
Can someone please explain what I'm missing, or confirm that this really
is a bug and it's just that DNSSEC+SRV+systemd-resolved is still fairly
rare for most?
More information about the dns-operations