How to debug DNS errors: DNSSEC validation failed
Browser error
This site can’t be reached
monitoring.mattionline.lan’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
Curl output
mathias@workstation:~$ curl -v https://monitoring.mattionline.lan
* Rebuilt URL to: https://monitoring.mattionline.lan/
* Could not resolve host: monitoring.mattionline.lan
* Closing connection 0
curl: (6) Could not resolve host: monitoring.mattionline.lan
dig output
;; ANSWER SECTION:
monitoring.mattionline.lan. 300 IN A 192.168.2.132
;; AUTHORITY SECTION:
mattionline.lan. 300 IN NS dns01.mattionline.lan.
;; ADDITIONAL SECTION:
dns01.mattionline.lan. 300 IN A 192.168.2.134
wireshark trace
24 2016-12-03 15:33:21.259787662 192.168.2.134 192.168.2.243 DNS 1081 Standard query response 0xb82b No such name DS mattionline.lan SOA a.root-servers.net RRSIG RRSIG NSEC aaa RRSIG NSEC lancaster OPT
root@workstation:~# systemctl status systemd-resolved.service
Dec 03 15:49:42 workstation systemd-resolved[1570]: DNSSEC validation failed for question mattionline.lan IN DS: no-signature
Dec 03 15:49:42 workstation systemd-resolved[1570]: DNSSEC validation failed for question mattionline.lan IN SOA: no-signature
Dec 03 15:49:42 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN DS: no-signature
Dec 03 15:49:42 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN SOA: no-signature
Dec 03 15:49:42 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN A: no-signature
Dec 03 15:50:57 workstation systemd-resolved[1570]: DNSSEC validation failed for question mattionline.lan IN DS: no-signature
Dec 03 15:50:57 workstation systemd-resolved[1570]: DNSSEC validation failed for question mattionline.lan IN SOA: no-signature
Dec 03 15:50:57 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN DS: no-signature
Dec 03 15:50:57 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN SOA: no-signature
Dec 03 15:50:57 workstation systemd-resolved[1570]: DNSSEC validation failed for question homeserver.mattionline.lan IN A: no-signature
Solution
root@workstation:~# systemctl disable systemd-resolved.service
root@workstation:~# systemctl stop systemd-resolved.service
The upgrade to ubuntu 17.04 installed fully systemd support. My system resolved over systemd-resolved and not over the resolv.conf. You can also get it running by removing resolvconf and doing it over systemd.
