Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 03 May 2020 10:46:55 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: musl@...ts.openwall.com
Subject: Re: TCP support in the stub resolver

* Bartosz Brachaczek:

> On Sat, May 2, 2020 at 5:44 PM Rich Felker <dalias@...c.org> wrote:
>
>> On Sat, May 02, 2020 at 05:28:48PM +0200, Florian Weimer wrote:
>> > * Rich Felker:
>> >
>> > > On Tue, Apr 21, 2020 at 07:26:08PM +0200, Florian Weimer wrote:
>> > >> * Rich Felker:
>> > >>
>> > >> >> I'm excited that Fedora plans to add a local caching resolver by
>> > >> >> default.  It will help with a lot of these issues.
>> > >> >
>> > >> > That's great news! Will it be DNSSEC-enforcing by default?
>> > >>
>> > >> No.  It is currently not even DNSSEC-aware, in the sense that you
>> > >> can't get any DNSSEC data from it.  That's the sad part.
>> > >
>> > > That's really disappointing. Why? Both systemd-resolved and dnsmasq,
>> > > the two reasonable (well, reasonable for distros using systemd already
>> > > in the systemd-resolved case :) options for this, support DNSSEC fully
>> > > as I understand it. Is it just being turned off by default because of
>> > > risk of breaking things, or is some other implementation that lacks
>> > > DNSSEC being used?
>> >
>> > It's systemd-resolved.  As far as I can tell, it does not provide
>> > DNSSEC data on the DNS client interface.
>>
>> According to this it does:
>>
>> https://wiki.archlinux.org/index.php/Systemd-resolved#DNSSEC
>>
>> However it's subject to downgrade attacks unless you edit a config
>> file. Note that the example shows:
>>
>>     ....
>>     -- Data is authenticated: yes
>>
>> so it looks like it's setting the AD bit like it should.
>>
>
> Relevant info:
> https://fedoraproject.org/wiki/Changes/systemd-resolved#DNSSEC

This section talks about DNSSEC validation.  As far as I can tell,
running systemd-resolved as the stub resolver prevents applications
from accessing DNSSEC data and doing their own validation (or just
looking add DNSSEC record types), independently of how
systemd-resolved is built and configured.

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.