Linux Mailing List

["Konrad Bucheli (PSI)" <konrad.bucheli AT psi.ch>]

Hi

The fix for this issue has been early merged into the `preprod` Puppet 
Environment.

Cheers
Konrad

On 13.09.22 16:39, Konrad Bucheli (PSI) wrote:
> Dear RHEL 8 test users
>
> The latest Red Hat systemd package systemd-239-58.el8_6.4.x86_64 has an 
> issue with resolved, which makes it fail to resolve DNS zones without 
> DNSSEC (bugreport https://github.com/systemd/systemd/issues/21414) like 
> for example psi.ch.
>
> By default this package is updated automatically early on Monday as it 
> is a security fix: https://access.redhat.com/errata/RHSA-2022:6206
>
> On the Puppet environment "rhel8_preprod" I implemented a fix by 
> disabling DNSSEC altogether.
>
> As resolved seams not to be restarted automatically, you might not see 
> the issue at the moment. You can test with
>
> # resolvectl query psi.ch
> psi.ch: resolve call failed: DNSSEC validation failed: no-signature
> #
>
> or working
>
> # resolvectl query psi.ch
> psi.ch: 192.33.120.32
>
> -- Information acquired via protocol DNS in 1.7ms.
> -- Data is authenticated: no
> #
>
>
> You might also see the problem with a failing puppet run:
>
> # puppet agent -t
> Info: Using environment 'rhel8_preprod'
> Error: Connection to https://puppet01.psi.ch:8140/puppet/v3 failed, 
> trying next route: Request to https://puppet01.psi.ch:8140/puppet/v3 
> failed after 20.017 seconds: Failed to open TCP connection to 
> puppet01.psi.ch:8140 (getaddrinfo: Name or service not known)
>
>
> To fix DNS resolution manually you can
>
> # echo "DNSSEC=false" >> /etc/systemd/resolved.conf && systemctl restart 
> systemd-resolved
>
>
> Feel free to contact me if you have questions or need further support
>
> Cheers
> Konrad