Strange issues with systemd-resolved & Linode resolvers
I have set up systemd-resolved my Linode running Debian 11 to use the Linode resolvers listed in the dashboard. However I noticed I'm getting some strange messages in the system log that seem to indicate that at least some of those resolvers do not support DNSSEC:
systemd-resolved: Server 109.74.193.20 does not support DNSSEC, downgrading to non-DNSSEC mode.
systemd-resolved: Server 2a01:7e00::2 does not support DNSSEC, downgrading to non-DNSSEC mode.
systemd-resolved: Using degraded feature set TLS+EDNS0 instead of UDP+EDNS0+DO for DNS server 151.236.220.5.
systemd-resolved: Using degraded feature set TLS+EDNS0 instead of UDP+EDNS0+DO for DNS server 2a01:7e00::6.
systemd-resolved: Using degraded feature set UDP+EDNS0 instead of TLS+EDNS0 for DNS server 151.236.220.5.
systemd-resolved: Using degraded feature set UDP+EDNS0 instead of TLS+EDNS0 for DNS server 2a01:7e00::2.
systemd-resolved: Using degraded feature set UDP+EDNS0 instead of TLS+EDNS0 for DNS server 2a01:7e00::6.
systemd-resolved: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 151.236.220.5.
And so on. That seems strange to me, shouldn't the resolvers support DNSSEC in this day and age? Or is this a systemd-resolved issue?
Also, while DNS over TLS is quite new and might be reasonably be expected to not be supported quite yet, EDNS0 definitely should be supported by now, which makes me suspect that perhaps systemd-resolved is doing something buggy.
Since it is likely relevant:
$ systemd --version
systemd 247 (247.3-7)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified
1 Reply
Have you tried different resolvers that support DNSSEC? Linode does not, but 1.1.1.1 should.