Linux Mailing List

["Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>]

Dear RHEL 8 test users

The latest Red Hat systemd package systemd-239-58.el8_6.4.x86_64 has an 
issue with resolved, which makes it fail to resolve DNS zones without 
DNSSEC (bugreport https://github.com/systemd/systemd/issues/21414) like 
for example psi.ch.

By default this package is updated automatically early on Monday as it 
is a security fix: https://access.redhat.com/errata/RHSA-2022:6206

On the Puppet environment "rhel8_preprod" I implemented a fix by 
disabling DNSSEC altogether.

As resolved seams not to be restarted automatically, you might not see 
the issue at the moment. You can test with

# resolvectl query psi.ch
psi.ch: resolve call failed: DNSSEC validation failed: no-signature
#

or working

# resolvectl query psi.ch
psi.ch: 192.33.120.32

-- Information acquired via protocol DNS in 1.7ms.
-- Data is authenticated: no
#


You might also see the problem with a failing puppet run:

# puppet agent -t
Info: Using environment 'rhel8_preprod'
Error: Connection to https://puppet01.psi.ch:8140/puppet/v3 failed, 
trying next route: Request to https://puppet01.psi.ch:8140/puppet/v3 
failed after 20.017 seconds: Failed to open TCP connection to 
puppet01.psi.ch:8140 (getaddrinfo: Name or service not known)


To fix DNS resolution manually you can

# echo "DNSSEC=false" >> /etc/systemd/resolved.conf && systemctl restart 
systemd-resolved


Feel free to contact me if you have questions or need further support

Cheers
Konrad

--
Paul Scherrer Institut
Konrad Bucheli
Linux Systems Engineer
Core Linux Research Services
Science IT Infrastructure and Services department (AWI)
WHGA/038
Forschungstrasse 111
5232 Villigen PSI
Switzerland

Phone: +41 56 310 27 24
konrad.bucheli AT psi.ch
www.psi.ch