equaeghe
l33t
Joined: 22 Feb 2005
Posts: 660
|
 Posted: Wed Apr 16, 2025 8:26 am Post subject: "DNSSEC validation failed ... : no-signature" |
 |
|
Hi,
Since a couple of weeks(?), I have DNS problems. As far as I know, I didn't change anything apart from keeping my packages up-to-date. The problem is that after a while on my home network, all DNS requests fail with the following messages in my logs (example for one domain; happens for all domains):
| Code: | DNSSEC validation failed for question res-1.cdn.office.net IN AAAA: no-signature
DNSSEC validation failed for question res-1.cdn.office.net IN A: no-signature
DNSSEC validation failed for question cdn.office.net IN DS: no-signature
DNSSEC validation failed for question office.net IN DS: no-signature
DNSSEC validation failed for question net IN DS: no-signature
|
Stopping and restarting the network interface fixes it for a while. The duration that it works is variable: mere seconds, minutes, or hours. It happens both when on wifi or cabled.
I'm using systemd-resolved with the following config:
| Code: | [Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
#Domains=
#DNSSEC=allow-downgrade
#DNSOverTLS=no
# mDNS currently (still) provided by avahi (packages use the zeroconf use flag)
MulticastDNS=no
# LLMNR is a deprecated Microsoft protocol (alternative to mDNS)
LLMNR=no
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no
#StaleRetentionSec=0
|
It results in the following status:
| Code: | resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google 1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google 2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google 2606:4700:4700::1001#cloudflare-dns.com
2001:4860:4860::8844#dns.google
Link 2 (enp2s0f0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 3 (enp5s0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 5 (wlan0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 6 (virbr0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 18 (tap0)
Current Scopes: none
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Link 32 (enp7s0f3u1u1)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
Current DNS Server: 192.168.178.1
DNS Servers: 192.168.178.1 fdfa:76e1:b4aa:0:de39:6fff:fe32:c1cb 2a0f:2980:100:201:de39:6fff:fe32:c1cb
DNS Domain: fritz.box
|
As you can see, I use the DNS server of my VDSL modem/router (a FritzBox 7530). There, I've configured Quad9 (9.9.9.9, 149.112.112.112; 2620:fe::fe, 2620:fe::9; dns.quad9.net) with DNS over TLS (DoT) activated.
Any help to diagnose and fix this would be very much appreciated; the issue is very bothersome.
Thanks,
Erik |
|
Networking & Security
