Bug 2222266 - systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes [rhel8]
Summary: systemd-resolved: Unsigned name response in signed zone is not refused when D...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: 8.9
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: systemd maint
QA Contact: Frantisek Sumsal
URL: https://github.com/systemd/systemd/is...
Whiteboard: DNSSEC
Depends On: 2222260 2222261
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-12 13:33 UTC by Petr Menšík
Modified: 2023-08-14 11:27 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2222261
Environment:
Last Closed:
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github systemd systemd issues 15158 0 None open DNSSEC doesn't prevent MITM 2023-07-18 07:46:34 UTC
Github systemd systemd issues 25676 0 None open resolved DNSSEC validation can be bypassed by MITM 2023-07-18 07:46:34 UTC
Red Hat Issue Tracker RHELPLAN-162114 0 None None None 2023-07-12 13:33:49 UTC

Description Petr Menšík 2023-07-12 13:33:19 UTC 
+++ This bug was initially created as a clone of Bug #2222261 +++

+++ This bug was initially created as a clone of Bug #2222260 +++

Found that on upstream issue:
https://github.com/systemd/systemd/issues/25676

All needed is to fake content in signed zone, reported with unbound:

server:
  local-zone: example.org typetransparent
  local-data: "example.org. 3600 IN A 127.0.0.1"

Reproducible: Always

Steps to Reproduce:
1. Enable DNSSEC=yes
2. Run local unbound, configure fake local-data
3. Set DNS=127.0.0.1
4. resolvectl query -t a example.org

Actual Results:  
[root@rawhide ~]# resolvectl query -t a example.org
example.org IN A 127.0.0.1

-- Information acquired via protocol DNS in 8.5ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
[root@rawhide ~]# resolvectl query -t aaaa example.org
example.org IN AAAA 2606:2800:220:1:248:1893:25c8:1946

-- Information acquired via protocol DNS in 10.2ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: no
-- Data from: network

Expected Results:  
Similar to when signature is present, -t a should be reported as invalid, only -t aaaa successful.

Marking it with high severity, because it undermines purpose of whole DNSSEC presence.

--- Additional comment from Petr Menšík on 2023-07-12 15:21:12 CEST ---

Used just simple addition to unbound default config:

# cat /etc/unbound/conf.d/bogus.conf 
server:
  local-zone: example.org typetransparent
  local-data: "example.org. 3600 IN A 127.0.0.1"

# set DNSSEC=yes DNS=127.0.0.1 in /etc/systemd/resolved.conf

# systemctl restart unbound systemd-resolved
# resolvectl dnssec eth0 yes
# resolvectl dns eth0 127.0.0.1
# resolvectl query --validate=yes -t a example.org
example.org IN A 127.0.0.1

-- Information acquired via protocol DNS in 1.9ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
Note You need to log in before you can comment on or make changes to this bug.