Bug 1883090 - systemd-resolved breaks DNSSEC validation
Summary: systemd-resolved breaks DNSSEC validation
Keywords:
Status: CLOSED DUPLICATE of bug 1879028
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 33
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-28 04:42 UTC by Paul Wouters
Modified: 2020-09-29 02:46 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-29 02:46:35 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Paul Wouters 2020-09-28 04:42:44 UTC
When a DNS library or application sends DNS requests with the DO bit set, systemd-resolved does not return the proper DNSSEC records because DNSSEC has been completely disabled.

This breaks any DNS library and program that depends on these records. It also undermines DNS security.

Two concrete examples:

libreswan links against libunbound and uses its own DNSSEC validation based on the forwarders specified in /etc/resolv.conf. With systemd-resolved populating resolv.conf with 127.0.0.53, libreswan is given a broken forwarder. DNSSEC fails and ALL RESOLVING within libreswan fails.

my postfix server uses LetsEncrypt certificates and publishes and consumes TLSA records to validate the SMTP TLS channels. Postfix request DNS from the system resolver and expcects the AD bit for DNSSEC validated answers. systemd-resolved will never return these, so all TLSA query answers are igored by postfix, downgrading my email TLS security to anonymous TLS, which can now be MITM'ed by anyone.

This could be considered a CVE magnitude issue

Comment 1 Paul Wouters 2020-09-29 02:46:35 UTC

*** This bug has been marked as a duplicate of bug 1879028 ***


Note You need to log in before you can comment on or make changes to this bug.