Bug 2222260 - systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes [fedora]
Summary: systemd-resolved: Unsigned name response in signed zone is not refused when D...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 39
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: systemd-maint
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/systemd/systemd/is...
Whiteboard:
Depends On:
Blocks: 2222261 2222266
TreeView+ depends on / blocked
 
Reported: 2023-07-12 13:03 UTC by Petr Menšík
Modified: 2023-08-16 08:07 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2222261 (view as bug list)
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 15158 0 None open DNSSEC doesn't prevent MITM 2023-07-28 23:31:19 UTC
Github systemd systemd issues 25676 0 None open resolved DNSSEC validation can be bypassed by MITM 2023-07-18 07:46:59 UTC

Description Petr Menšík 2023-07-12 13:03:26 UTC 
Found that on upstream issue:
https://github.com/systemd/systemd/issues/25676

All needed is to fake content in signed zone, reported with unbound:

server:
  local-zone: example.org typetransparent
  local-data: "example.org. 3600 IN A 127.0.0.1"



Reproducible: Always

Steps to Reproduce:
1. Enable DNSSEC=yes
2. Run local unbound, configure fake local-data
3. Set DNS=127.0.0.1
4. resolvectl query -t example.org
Actual Results:  
[root@rawhide ~]# resolvectl query -t a example.org
example.org IN A 127.0.0.1

-- Information acquired via protocol DNS in 8.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
[root@rawhide ~]# resolvectl query -t aaaa example.org
example.org IN AAAA 2606:2800:220:1:248:1893:25c8:1946

-- Information acquired via protocol DNS in 10.2ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: no
-- Data from: network

Expected Results:  
Similar to when signature is present, -t a should be reported as invalid, only -t aaaa successful.

Marking it with high severity, because it undermines purpose of whole DNSSEC presence.
Comment 1 Fedora Release Engineering 2023-08-16 08:07:56 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.
Note You need to log in before you can comment on or make changes to this bug.