Found that on upstream issue: https://github.com/systemd/systemd/issues/25676 All needed is to fake content in signed zone, reported with unbound: server: local-zone: example.org typetransparent local-data: "example.org. 3600 IN A 127.0.0.1" Reproducible: Always Steps to Reproduce: 1. Enable DNSSEC=yes 2. Run local unbound, configure fake local-data 3. Set DNS=127.0.0.1 4. resolvectl query -t example.org Actual Results: [root@rawhide ~]# resolvectl query -t a example.org example.org IN A 127.0.0.1 -- Information acquired via protocol DNS in 8.5ms. -- Data is authenticated: no; Data was acquired via local or encrypted transport: no -- Data from: network [root@rawhide ~]# resolvectl query -t aaaa example.org example.org IN AAAA 2606:2800:220:1:248:1893:25c8:1946 -- Information acquired via protocol DNS in 10.2ms. -- Data is authenticated: yes; Data was acquired via local or encrypted transport: no -- Data from: network Expected Results: Similar to when signature is present, -t a should be reported as invalid, only -t aaaa successful. Marking it with high severity, because it undermines purpose of whole DNSSEC presence.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39.
FEDORA-2024-c79658eedf has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c79658eedf
FEDORA-2024-b8312ca5b3 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-b8312ca5b3
FEDORA-2024-b8312ca5b3 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-b8312ca5b3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-b8312ca5b3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c79658eedf has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c79658eedf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c79658eedf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-b8312ca5b3 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-c79658eedf has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.