Bug 2222261 - systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes [rhel9]
Summary: systemd-resolved: Unsigned name response in signed zone is not refused when D...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: systemd
Version: 9.3
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: systemd maint
QA Contact: Frantisek Sumsal
URL: https://github.com/systemd/systemd/is...
Whiteboard: DNSSEC
Depends On: 2222260
Blocks: 2222266
TreeView+ depends on / blocked
 
Reported: 2023-07-12 13:09 UTC by Petr Menšík
Modified: 2023-08-14 11:27 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2222260
: 2222266 (view as bug list)
Environment:
Last Closed:
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 15158 0 None open DNSSEC doesn't prevent MITM 2023-07-24 10:58:14 UTC
Github systemd systemd issues 25676 0 None open resolved DNSSEC validation can be bypassed by MITM 2023-07-24 10:58:17 UTC
Red Hat Issue Tracker RHELPLAN-162112 0 None None None 2023-07-12 13:13:36 UTC

Description Petr Menšík 2023-07-12 13:09:55 UTC 
+++ This bug was initially created as a clone of Bug #2222260 +++

Found that on upstream issue:
https://github.com/systemd/systemd/issues/25676

All needed is to fake content in signed zone, reported with unbound:

server:
  local-zone: example.org typetransparent
  local-data: "example.org. 3600 IN A 127.0.0.1"



Reproducible: Always

Steps to Reproduce:
1. Enable DNSSEC=yes
2. Run local unbound, configure fake local-data
3. Set DNS=127.0.0.1
4. resolvectl query -t example.org
Actual Results:  
[root@rawhide ~]# resolvectl query -t a example.org
example.org IN A 127.0.0.1

-- Information acquired via protocol DNS in 8.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
[root@rawhide ~]# resolvectl query -t aaaa example.org
example.org IN AAAA 2606:2800:220:1:248:1893:25c8:1946

-- Information acquired via protocol DNS in 10.2ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: no
-- Data from: network

Expected Results:  
Similar to when signature is present, -t a should be reported as invalid, only -t aaaa successful.

Marking it with high severity, because it undermines purpose of whole DNSSEC presence.
Comment 1 Petr Menšík 2023-07-12 13:21:12 UTC 
Used just simple addition to unbound default config:

# cat /etc/unbound/conf.d/bogus.conf 
server:
  local-zone: example.org typetransparent
  local-data: "example.org. 3600 IN A 127.0.0.1"

# systemctl restart unbound
# resolvectl dnssec eth0 yes
# resolvectl dns eth0 127.0.0.1
# resolvectl query --validate=yes -t a example.org
example.org IN A 127.0.0.1

-- Information acquired via protocol DNS in 1.9ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
Comment 4 Petr Menšík 2023-07-13 14:19:39 UTC 
It turned out this problem was reported first on March 2020:
https://github.com/systemd/systemd/issues/15158
Note You need to log in before you can comment on or make changes to this bug.