1

I want to see the content of records using dig but any RR related to DNSSEC comes up empty. This happens on two laptops of mine. I'm running Ubuntu 18.04. Is there any setting I can fix to stop getting SERVFAILs? Records like DS and RRSIGs are supposed to be public so they should e available. I'm just unable to parse them.

user@pc:~$ dig +dnssec DNSKEY com

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> +dnssec DNSKEY com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27473
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
; OPT=5: 05 07 08 0a 0d 0e 0f (".......")
; OPT=6: 01 02 04 ("...")
; OPT=7: 01 (".")
;; QUESTION SECTION:
;com.               IN  DNSKEY

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Feb 24 13:23:52 CET 2021
;; MSG SIZE  rcvd: 55

Content of my resolved.conf file

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.
#
# Entries in this file show the compile time defaults.
# You can change settings by editing this file.
# Defaults can be restored by simply deleting this file.
#
# See resolved.conf(5) for details

[Resolve]
#DNS=
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#Cache=yes
#DNSStubListener=yes

The only working DNS Resolver on any interface I have.

Link 3 (wlp3s0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.178.1
                      fd00::2e3a:fdff:fe4c:3530
          DNS Domain: ~.
                      fritz.box
Dave M
  • 4,514
  • 22
  • 31
  • 30
Mnemosyne
  • 131
  • 1
  • 7
  • What is `127.0.0.53` and how is it configured? – Håkan Lindqvist Feb 24 '21 at 12:44
  • 1
    (Implied: the problem appears to be with `127.0.0.53`) – Håkan Lindqvist Feb 24 '21 at 12:44
  • 127.0.0.53 is typically systemd-resolvd which can do some nifty stuff AND break your resolving in interesting ways. For example do you got a setting in such as `DNSSEC=false` in your `/etc/systemd/resolved.conf` ? – Bob Feb 24 '21 at 12:52
  • @HermanB that file is empy for me, I copied the content on my post above. As for 127.0.0.53, I dont know how it is configured. This is the out of the box setup. I havent changed anything systemd related since installation. – Mnemosyne Feb 24 '21 at 13:01
  • @HåkanLindqvist I didnt set up that address so I dont know what to tell you. Thats the default server out of the box. – Mnemosyne Feb 24 '21 at 13:05
  • Assuming that `127.0.0.53` is systemd-resolved, what does `resolvectl status` (alternatively `systemd-resolve --status` if this is an older version) say? Do the nameservers it forwards to work properly themselves? – Håkan Lindqvist Feb 24 '21 at 14:22
  • @HåkanLindqvist There is only working DNS resolver 192.168.178.1 (my router), I tested it and it works alright, I get the RR and their signatures. Same as when I force the dig to go through 8.8.8.8. However the same command doesnt work if I let it run over the systemd IP 127.0.0.53. How do I change that IP or alternatively make it behave like the 192 one? – Mnemosyne Feb 24 '21 at 14:30
  • @Mnemosyne To be clear, is `192.168.178.1` what the status output specifies? Or what is it using? – Håkan Lindqvist Feb 24 '21 at 14:33
  • @HåkanLindqvist It is the only working DNS resolver that I have on any interface. I copied the interface details above. – Mnemosyne Feb 24 '21 at 15:30

0 Answers0