2222672 – TRIAGE systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes

Bug 2222672 - TRIAGE systemd-resolved: Unsigned name response in signed zone is not refused when DNSSEC=yes

Summary: TRIAGE systemd-resolved: Unsigned name response in signed zone is not refused...

Keywords:
Status:	NEW
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2222674 2222675 2222676
Blocks:	2222673
TreeView+	depends on / blocked

Reported:	2023-07-13 12:43 UTC by Zack Miele
Modified:	2023-07-31 20:41 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2023-07-13 12:43:01 UTC

systemd-resolved accepts records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Comment 3 Lukáš Nykrýn 2023-07-13 13:56:54 UTC

I think in rhel we need to document that the dnssec validation in systemd-resolved is not the validation that you expect.

Basically, the behaviour is good to, for example show a semaphore in a browser that will say validated/no clue/wrong when you use resolved dbus API.
For more traditional uses, it is unusable. Maybe with DNSOverTLS you would be fine.

Also, we can create an insight rule to warn about this.

Note You need to log in before you can comment on or make changes to this bug.