I think in rhel we need to document that the dnssec validation in systemd-resolved is not the validation that you expect.

Basically, the behaviour is good to, for example show a semaphore in a browser that will say validated/no clue/wrong when you use resolved dbus API.
For more traditional uses, it is unusable. Maybe with DNSOverTLS you would be fine.

Also, we can create an insight rule to warn about this.

No, I do not think DNSOverTLS fixes the issue. It does not protect against spoofing, which is the purpose of DNSSEC. It does not protect signed zones such as fedoraproject.org. If you want to spoof anything, you just strip signatures and provide any value you want.

It should be properly documented until it is fixed properly. This behaviour might be acceptable for DNSSEC=allow-downgrade, if the accepted name were marked somehow. But for DNSSEC=yes I am quite sure this is not wanted behaviour. No documentation will help.

Semaphore in the browser is useless if the remote attacker is able to disable it on will or disable validation only for selected hosts. One page consists usually from many hostnames serving different kind of resources. Single indicator for the whole site would not help.

This seems related to https://github.com/systemd/systemd/issues/25676 is this correct?

Was this CVE requested by Redhat? As far as I am aware, we were not consulted on this, neither before not after. This is very much not ok.

(In reply to Salvatore Bonaccorso from comment #5)
> This seems related to https://github.com/systemd/systemd/issues/25676 is
> this correct?

Yes, that is the second upstream issue for the same thing, first was https://github.com/systemd/systemd/issues/15158. But the second one has more valuable discussion IMO.

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2463 https://access.redhat.com/errata/RHSA-2024:2463