Bug 2222672

Summary: TRIAGE systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, chazlett, dfreiber, eaguilar, ebaron, jburrell, jkang, jpallich, lnykryn, msekleta, pjindal, rogbas, sfroberg, systemd-maint, vkumar, zjedrzej
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222674, 2222675, 2222676    
Bug Blocks: 2222673    

Description Zack Miele 2023-07-13 12:43:01 UTC 
systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.
Comment 3 Lukáš Nykrýn 2023-07-13 13:56:54 UTC 
I think in rhel we need to document that the dnssec validation in systemd-resolved is not the validation that you expect.

Basically, the behaviour is good to, for example show a semaphore in a browser that will say validated/no clue/wrong when you use resolved dbus API.
For more traditional uses, it is unusable. Maybe with DNSOverTLS you would be fine.

Also, we can create an insight rule to warn about this.