[dns-operations] which breakage is this? FreeBSD.org / systemd-resolved

Jeroen Massar jeroen at massar.ch
Fri Oct 30 10:24:45 UTC 2020

> On 20201030, at 02:21, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
> On 2020-10-29 at 21:17 +0100, Jeroen Massar wrote:
>> I can only first suggest starting to use 'dig', as then it also shows you
>> which is the server that is answering you and it is using TCP or not, just
>> in case a random one is chosen from some config snippet.
> Yes, I used that, the host output was shorter to paste into an email.
> systemd-resolved is on as a host-local resolver, so the
> details of transport to it are pretty irrelevant: this is systemd
> rejecting answers which two other implementations of validating
> resolvers, on the local network, accept just fine.

If you are sure the answers come from there always, then indeed, it does not matter too much.
Though, your box still needs to talk to the network and the network might intercept things, lots of fun with AAAA records being just dropped by intermediate boxes, thus DNSSEC signatures can be even more fun.
(For that matter hilarious that they are introducing HTTPS records now... they will run into the same issue, but possibly many boxes have been swapped out since, or resolving just centralized by the big corporations)

With dig you can ask for +dnssec and see more details from there.

It looks like you might have to run a tcpdump in the background, fortunately most uses of DNS are not encrypted (at least for the debugging case).

But likely it is just a cornercase that systemd does not handle properly.

>> Note that upstream servers, NAT/firewall/router boxes can interfere with DNS
>> and cause weird/unknown results too.
> Thank you, but in this case the unbound/knot-resolver servers are the
> upstream/forwarding servers, the knot being on the router itself, which
> is a quite capable unit, not random cheap home junk.
> This is specifically systemd-resolved rejecting entries which other
> validating resolvers decide validates.
> Works with:
>  Unbound: "Version 1.12.0", OpenSSL 1.1.1h
>  "Knot Resolver, version 5.1.2"

Strace and otherwise turning up the debugging settings for resolved if it has any.
But likely you will just end up in systemd-fight land...

Simplicity (KISS) and debuggability is so overrated by all the many usecases that exist :(
But hey, keeps a lot of consultants in a job: write crap software earn lots of moneyz fixing the broken things...


More information about the dns-operations mailing list