Disable DNSSEC by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Zesty |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
* dnssec functionality in systemd-resolved prevents network access in certain intra and extra net cases, due to failure to correctly validate dnssec entries. As a work-around we should disable dnssec by default.
[Test Case]
* Validate systemd-resolved is compiled with --with-
* Validate that systemd-resolve --status says that DNSSEC setting is no
$ systemd-resolve --status
good output:
...
DNSSEC setting: no
DNSSEC supported: no
...
bad output:
...
DNSSEC setting: allow-downgrade
DNSSEC supported: yes
...
[Regression Potential]
* People who expect DNSSEC to be available by default will need to re-enable it by modifying systemd-resolve configuration file
[Other Info]
* See duplicate bugs and other bug reports in systemd for scenarios of DNS resolution failures when DNSSEC is enabled.
Changed in systemd (Ubuntu Zesty): | |
milestone: | none → zesty-updates |
Changed in systemd (Ubuntu Zesty): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
summary: |
- disable dnssec + Disable DNSSEC by default |
Changed in systemd (Ubuntu): | |
milestone: | zesty-updates → none |
Status changed to 'Confirmed' because the bug affects multiple users.