DNSSEC resolution issue

aida · December 23, 2024, 2:29pm

Hi

I am experiencing an issue with DNSSEC. When it is enabled, I am unable to resolve certain domain names. However, when I use the command dig @9.9.9.9, the DNSSEC resolution works correctly.

# See resolved.conf(5) for details

[Resolve]
DNS=9.9.9.9
FallbackDNS=8.8.8.8 1.1.1.1
Domains=~.
#LLMNR=no
#MulticastDNS=no
DNSSEC=yes
DNSOverTLS=yes
#Cache=no-negative
#DNSStubListener=yes
ReadEtcHosts=yes

root@hcp:~# dig messaging-microsoft-com.mail.protection.outlook.com

; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> messaging-microsoft-com.mail.protection.outlook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;messaging-microsoft-com.mail.protection.outlook.com. IN A

;; Query time: 4068 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Dec 23 15:51:51 EET 2024
;; MSG SIZE rcvd: 80

root@hcp:~#
root@hcp:~#
root@hcp:~#
root@hcp:~#
root@hcp:~# dig messaging-microsoft-com.mail.protection.outlook.com @9.9.9.9

; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> messaging-microsoft-com.mail.protection.outlook.com @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51210
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;messaging-microsoft-com.mail.protection.outlook.com. IN A

;; ANSWER SECTION:
messaging-microsoft-com.mail.protection.outlook.com. 10 IN A 52.101.41.21
messaging-microsoft-com.mail.protection.outlook.com. 10 IN A 52.101.42.4
messaging-microsoft-com.mail.protection.outlook.com. 10 IN A 52.101.42.9
messaging-microsoft-com.mail.protection.outlook.com. 10 IN A 52.101.11.17

;; Query time: 128 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Mon Dec 23 15:52:06 EET 2024
;; MSG SIZE rcvd: 144

root@hcp:~#
root@hcp:~#

root@hcp:~# journalctl -xe | grep systemd-resolved
Dec 23 15:40:51 hcp.myserver.com sudo[41426]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/journalctl -u systemd-resolved --since today
Dec 23 15:41:22 hcp.myserver.com sudo[41512]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/journalctl -u systemd-resolved --since today
Dec 23 15:49:15 hcp.myserver.com sudo[42289]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/systemctl restart systemd-resolved
-- Subject: A stop job for unit systemd-resolved.service has begun execution
-- A stop job for unit systemd-resolve .service has begun execution.
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[16559]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:49:15 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.-- The unit systemd-resolved.service has successfully entered the 'dead' state.
-- Subject: A stop job for unit systemd-resolved.service has finished
-- A stop job for unit systemd-resolve .service has finished.
-- Subject: A start job for unit systemd-resolved.service has begun execution
-- A start job for unit systemd-resolved.service has begun execution.
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Positive Trust Anchors:Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Using system hostname 'hcp.myserver.com'.
-- Subject: A start job for unit systemd-resolved.service has finished successfully
-- A start job for unit systemd-resolved.service has finished successfully.
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42295]: Flushed all caches.
Dec 23 15:50:36 hcp.myserver.com sudo[42707]:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/systemctl restart systemd-resolved
-- Subject: A stop job for unit systemd-resolved.service has begun execution
-- A stop job for unit systemd-resolve .service has begun execution.
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42295]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:50:36 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.-- The unit systemd-resolved.service has successfully entered the 'dead' state.
-- Subject: A stop job for unit systemd-resolved.service has finished
-- A stop job for unit systemd-resolve .service has finished.
-- Subject: A start job for unit systemd-resolved.service has begun execution
-- A start job for unit systemd-resolved.service has begun execution.
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Positive Trust Anchors:Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-addr.arpa 30.172.in-addr.arpa 31.172.in-addr.arpa 168.192.in-addr.arpa d.f.ip6.arpa corp home internal intranet lan local private test
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Using system hostname 'hcp.myserver.com'.
-- Subject: A start job for unit systemd-resolved.service has finished successfully
-- A start job for unit systemd-resolved.service has finished successfully.
Dec 23 15:50:56 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN SOA: failed-auxiliary
-- Documentation: man:systemd-resolved.service(8)
Dec 23 15:50:56 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN A: failed-auxiliary
-- Documentation: man:systemd-resolved.service(8)
Dec 23 15:51:51 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN SOA: failed-auxiliary
-- Documentation: man:systemd-resolved.service(8)
Dec 23 15:51:51 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN A: failed-auxiliary
-- Documentation: man:systemd-resolved.service(8)
root@hcp:~#
root@hcp:~#
root@hcp:~#
root@hcp:~#
root@hcp:~# journalctl -u systemd-resolved --since "1 hour ago"
-- Logs begin at Sun 2024-09-22 00:00:02 EEST, end at Mon 2024-12-23 16:01:01 EET. --
Dec 23 15:49:15 hcp.myserver.com systemd[1]: Stopping Network Name Resolution...
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[16559]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:49:15 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.
Dec 23 15:49:15 hcp.myserver.com systemd[1]: Stopped Network Name Resolution.
Dec 23 15:49:15 hcp.myserver.com systemd[1]: Starting Network Name Resolution...
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Positive Trust Anchors:
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-a>
Dec 23 15:49:15 hcp.myserver.com systemd-resolved[42295]: Using system hostname 'hcp.myserver.com'.
Dec 23 15:49:15 hcp.myserver.com systemd[1]: Started Network Name Resolution.
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42295]: Flushed all caches.
Dec 23 15:50:36 hcp.myserver.com systemd[1]: Stopping Network Name Resolution...
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42295]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:50:36 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.
Dec 23 15:50:36 hcp.myserver.com systemd[1]: Stopped Network Name Resolution.
Dec 23 15:50:36 hcp.myserver.com systemd[1]: Starting Network Name Resolution...
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Positive Trust Anchors:
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-a>
Dec 23 15:50:36 hcp.myserver.com systemd-resolved[42712]: Using system hostname 'hcp.myserver.com'.
Dec 23 15:50:36 hcp.myserver.com systemd[1]: Started Network Name Resolution.
Dec 23 15:50:56 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN SOA: failed-auxiliary
Dec 23 15:50:56 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN A: failed-auxiliary
Dec 23 15:51:51 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN SOA: failed-auxiliary
Dec 23 15:51:51 hcp.myserver.com systemd-resolved[42712]: DNSSEC validation failed for question messaging-microsoft-com.mail.protection.outlook.com IN A: failed-auxiliary
Dec 23 15:53:42 hcp.myserver.com systemd[1]: Stopping Network Name Resolution...
Dec 23 15:53:42 hcp.myserver.com systemd-resolved[42712]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:53:42 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.
Dec 23 15:53:42 hcp.myserver.com systemd[1]: Stopped Network Name Resolution.
Dec 23 15:53:42 hcp.myserver.com systemd[1]: Starting Network Name Resolution...
Dec 23 15:53:42 hcp.myserver.com systemd-resolved[42919]: Positive Trust Anchors:
Dec 23 15:53:42 hcp.myserver.com systemd-resolved[42919]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:53:42 hcp.myserver.com systemd-resolved[42919]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-a>
Dec 23 15:53:42 hcp.myserver.com systemd-resolved[42919]: Using system hostname 'hcp.myserver.com'.
Dec 23 15:53:42 hcp.myserver.com systemd[1]: Started Network Name Resolution.
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42919]: Flushed all caches.
Dec 23 15:54:03 hcp.myserver.com systemd[1]: Stopping Network Name Resolution...
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42919]: Failed to emit notification about changed property CurrentDNSServer: Transport endpoint is not connected
Dec 23 15:54:03 hcp.myserver.com systemd[1]: systemd-resolved.service: Succeeded.
Dec 23 15:54:03 hcp.myserver.com systemd[1]: Stopped Network Name Resolution.
Dec 23 15:54:03 hcp.myserver.com systemd[1]: Starting Network Name Resolution...
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42982]: Positive Trust Anchors:
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42982]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42982]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.arpa 23.172.in-addr.arpa 24.172.in-addr.arpa 25.172.in-addr.arpa 26.172.in-addr.arpa 27.172.in-addr.arpa 28.172.in-addr.arpa 29.172.in-a>
Dec 23 15:54:03 hcp.myserver.com systemd-resolved[42982]: Using system hostname 'hcp.myserver.com'.
Dec 23 15:54:03 hcp.myserver.com systemd[1]: Started Network Name Resolution.
lines 1-47/47 (END)