systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes

Can this bug make the complete failure of DNS (like https://github.com/systemd/systemd/issues/6490) more likely?

If SERVFAIL is for the DNS server, that sounds like this would cause more failures of DNS per the other issue.

I think the downgrade behaviour of systemd-resolved is the same as in that upstream bug although it is triggered differently. Except that it only breaks that single NXDOMAIN query in my case while it sounds like a permanent failure in the upstream bug.

Status changed to 'Confirmed' because the bug affects multiple users.

https://github.com/systemd/systemd/issues/9384

Has there been any progress so far? systemd-resolved would be nice in theory, but not if it breaks half of the websites like it did before I stopped using it.

A simple case on Disco+ that I believe is related to the DVE workaround is:
resolvectl query www.engadget.com

DNSSEC doesn't appear to actually be involved on the domains. but with DNSSEC=(not yes) it works.

I grabbed the top 500 hosts in an Eaon LXD container with DNS=1.1.1.1
wget -O top500.csv https://moz.com/top-500/download/?table=top500Domains
cut -d, -f2 < top500.csv | cut -d\" -f2 > top500

I ran this script twice (with and without dnssec=yes):
while read p; do
  sleep 1
  echo "$p"
  resolvectl query $p > with_dnssec/$p
done <top500

The following domains failed only with DNSSEC=yes (and all failures included DVE- notices in journal).
people.com.cn
search.yahoo.com
news.yahoo.com

(oddly engadget wasn't on the list.. There may be a difference between netword/network-manager?)

I've confirmed, that #9 is is not reproducible with systemd from Debian. The runs from there with our without DNSSEC=yes are the same. They differ on Ubuntu.

I just built a package that just reverts it for Bionic and Disco : https://launchpad.net/~bryanquigley/+archive/ubuntu/1796501

Will confirm results tomorrow but so far with DNSSEC=yes:

Bionic with DVE-2018-0001 patch: Can't resolve europa.eu
Bionic with patch reverted: Can resolve europa.eu

Disco with DVE-2018-0001 patch: Can't resolve people.com.cn, search.yahoo.com, news.yahoo.com
Disco with patch reverted: Can resolve those three domains.

I've confirmed the fix causes other issues (above), and is still needed for wifi to work at Starbucks (In Toronto) - although DNS failed after accepting to east.datavalet.io.

I'm going to reach out to Datavalet and see if they have any thoughts.

@xnox Your updated patch (https://github.com/systemd/systemd/commit/50b9974aee29efb8118a20360b0d521f58110afd) on the GH issue fixes this issue AFAICT. Can we have the patch updated in Ubuntu?

I'm happy to make a debdiff.. but it is all your patches..

Built a eoan package with xnox's updated patch in my ppa: https://launchpad.net/~bryanquigley/+archive/ubuntu/1796501/+packages

1. Confirm failure with DNSSEC=yes, DNS server 1.1.1.1
$ resolvectl query people.com.cn
people.com.cn: resolve call failed: DNSSEC validation failed: failed-auxiliary

2. Add PPA and upgrade systemd to PPA version.

3. Confirm success:
resolvectl query people.com.cn
people.com.cn: 106.48.12.140 -- link: ens2
               106.48.12.141 -- link: ens2
               (hpcc-download-foreign.chinacache.net)

The attachment "eoan debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

I've confirmed that with this update patch my issue in C#9 is indeed fixed. It also should be more performant for non-DNSSEC=yes users.

@bryanquigley are you going to SRU that?

And please just that alone?

Yes, if we can get it into dev, I'd happily make debdiffs to SRU it to bionic/disco.

>And please just that alone?
Yes, just updating the patch to your latest version. I'm ok if it needs to be queued up for SRU with other systemd changes if that's what you are getting at.

I'm adding this patch to the next upload I'm preparing in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3797/+packages .

This bug was fixed in the package systemd - 242-7ubuntu2

---------------
systemd (242-7ubuntu2) eoan; urgency=medium

  [ Bryan Quigley ]
  * Update patch for resolved: Mitigate DVE-2018-0001, by retrying NXDOMAIN
    without EDNS0. This disables the workaround if DNSSEC=yes.
    Falls back directly to simple UDP instead of trying an intermediate.
    (LP: #1796501)
    Author: Bryan Quigley
    File: debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2974114ed9b89ea922a23893e8eff70d5cac77fe

  [ Balint Reczey ]
  * Pass personality test even when i386 userland runs on amd64 kernel
    File: debian/patches/debian/UBUNTU-test-Pass-personality-test-even-when-i386-userland-runs-o.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=42e0bfc426f19430f6768ef4922a9531a345765f
  * Refresh patches
    Files:
    - debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch
    - debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch
    - debian/patches/test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff8387be07322230e9afe87f1c767ee241e9a0e1

 -- Balint Reczey <email address hidden> Tue, 08 Oct 2019 22:31:17 +0200

Hello jrb0001, or anyone else affected,

Accepted systemd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/240-6ubuntu5.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted systemd (240-6ubuntu5.8) for disco have finished running.
The following regressions have been reported in tests triggered by the package:

prometheus-bind-exporter/unknown (armhf)
php7.2/7.2.24-0ubuntu0.19.04.1 (armhf)
gvfs/1.40.1-1ubuntu0.1 (ppc64el)
pdns-recursor/unknown (armhf)
webhook/unknown (armhf)
munin/2.0.47-1ubuntu3 (armhf, arm64)
systemd/240-6ubuntu5.8 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/disco/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello jrb0001, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.32 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verified in disco with, ii systemd 240-6ubuntu5.8

Dnssec and not are now consistent, tested general functionality with dnssec=yes and not set as well.

Verified in bionic with 237-3ubuntu10.32

Dnssec and not are now consistent, tested general functionality with dnssec=yes and not set as well.

All autopkgtests for the newly accepted systemd (237-3ubuntu10.32) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (ppc64el)
linux/unknown (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello jrb0001, or anyone else affected,

Accepted systemd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.33 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted systemd (237-3ubuntu10.33) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.36.1-0ubuntu1.3.3 (ppc64el, amd64)
dovecot/1:2.2.33.2-1ubuntu4.5 (armhf)
umockdev/0.11.1-1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package systemd - 240-6ubuntu5.8

---------------
systemd (240-6ubuntu5.8) disco; urgency=medium

  [ Victor Tapia ]
  * d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch
    Fix regression introduced by
    resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when
    DNSSEC=yes (LP: #1796501)

  [ Dan Streetman ]
  * d/p/lp1840640-shared-seccomp-add-sync_file_range2.patch:
    allow sync_file_range2 in nspawn container (LP: #1840640)
  * d/p/lp1847527-journal-remote-do-not-request-Content-Length-if-Tran.patch:
    do not request Content-Length if Transfer-Encoding is chunked
    (LP: #1847527)
  * d/t/storage: fix flaky test
    (LP: #1847815)
  * d/p/lp1843381-dell_passthrough_skip_rename_retry.patch,
    debian/extra/rules/73-usb-net-by-mac.rules:
    fix rename delay for systems using "Dell MAC passthrough"
    (LP: #1843381)
  * d/p/lp1849733/0001-resolved-if-we-can-t-append-EDNS-OPT-RR-then-indicat.patch,
    d/p/lp1849733/0002-resolved-don-t-let-EDNS0-OPT-dgram-size-affect-TCP.patch:
    ignore EDNS0 payload limit when responding over TCP (LP: #1849733)
  * d/p/lp1849658-resolved-set-stream-type-during-DnsStream-creation.patch:
    - Fix bug in refcounting TCP stream types (LP: #1849658)
  * d/extra/dhclient-enter-resolved-hook:
    - only restart resolved if dhclient conf changed (LP: #1805183)

  [ Balint Reczey ]
  * d/p/test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch:
    fix test breakage due to running in nested lxd container
    (LP: #1845337)

 -- Dan Streetman <email address hidden> Fri, 04 Oct 2019 09:06:58 -0400

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

ubuntu@lp1796501-b:~$ cat /etc/systemd/network/10-ens3.network
[Match]
Name=ens3

[Network]
DHCP=ipv4
LinkLocalAddressing=ipv6
DNS=8.8.8.8
DNSSEC=yes

[DHCP]
UseDNS=no

ubuntu@lp1796501-b:~$ systemd-resolve --status ens3
Link 2 (ens3)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: yes
    DNSSEC supported: yes
         DNS Servers: 8.8.8.8
          DNS Domain: vm

ubuntu@lp1796501-b:~$ dpkg -l systemd|grep ii
ii systemd 237-3ubuntu10.31 amd64 system and service manager
ubuntu@lp1796501-b:~$ host test.asdf
Host test.asdf not found: 2(SERVFAIL)

ubuntu@lp1796501-b:~$ dpkg -l systemd|grep ii
ii systemd 237-3ubuntu10.33 amd64 system and service manager
ubuntu@lp1796501-b:~$ host test.asdf
Host test.asdf not found: 3(NXDOMAIN)

This bug was fixed in the package systemd - 237-3ubuntu10.33

---------------
systemd (237-3ubuntu10.33) bionic; urgency=medium

  * d/p/lp1852754/0001-network-do-not-re-set-MTU-when-current-and-requested.patch,
    d/p/lp1852754/0002-network-call-link_acquire_conf-and-link_enter_join_n.patch,
    d/p/lp1852754/0003-network-prohibit-to-set-MTUBytes-and-UseMTU-simultan.patch:
    - Complete link setup after setting mtu (LP: #1852754)

systemd (237-3ubuntu10.32) bionic; urgency=medium

  [ Victor Tapia ]
  * d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch
    Fix regression introduced by
    resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when
    DNSSEC=yes (LP: #1796501)

  [ Dan Streetman ]
  * d/p/fix-typo-lp1668771-resolved-switch-cache-option-to-a-tri-state-option-s.patch:
    - Fix typo in previous patch
  * d/p/lp1840640-shared-seccomp-add-sync_file_range2.patch:
    - allow sync_file_range2 in nspawn container
      (LP: #1840640)
  * d/p/lp1783994-dissect-Don-t-count-RPMB-and-boot-partitions-8609.patch:
    - avoid systemd-gpt-auto-generator failure if mmc dev present
      (LP: #1783994)
  * d/p/lp1832672-resolved-rework-parsing-of-etc-hosts.patch:
    - do not fail entire file on error when parsing /etc/hosts
    - parse # char anywhere in line as start of comment
      (LP: #1832672)
  * d/p/lp1843381-dell_passthrough_skip_rename_retry.patch,
    debian/extra/rules/73-usb-net-by-mac.rules:
    - fix rename delay for systems using "Dell MAC passthrough"
      (LP: #1843381)
  * d/p/lp1849733/0001-resolved-longlived-TCP-connections.patch,
    d/p/lp1849733/0002-resolved-line-split-dns_stream_new-function-signatur.patch,
    d/p/lp1849733/0003-resolved-add-some-assert-s.patch,
    d/p/lp1849733/0004-stream-track-type-of-DnsStream-object.patch,
    d/p/lp1849733/0005-llmnr-add-comment-why-we-install-no-complete-handler.patch,
    d/p/lp1849733/0006-resolved-restart-stream-timeout-whenever-we-managed-.patch,
    d/p/lp1849733/0007-resolved-only-call-complete-with-zero-argument-in-LL.patch,
    d/p/lp1849733/0008-resolved-add-comment-to-dns_stream_complete-about-it.patch,
    d/p/lp1849733/0009-resolved-keep-stub-stream-connections-up-for-as-long.patch,
    d/p/lp1849733/0010-resolved-if-we-can-t-append-EDNS-OPT-RR-then-indicat.patch,
    d/p/lp1849733/0011-resolved-don-t-let-EDNS0-OPT-dgram-size-affect-TCP.patch,
    d/p/lp1849733/0012-resolved-add-new-accessor-dns_stream_take_read_packe.patch,
    d/p/lp1849733/0013-resolve-do-not-complete-stream-transaction-when-it-i.patch:
    - add TCP pipelining to handle getaddrinfo() fallback to TCP
    - ignore EDNS0 payload limit when responding over TCP (LP: #1849733)
  * d/p/lp1849658-resolved-set-stream-type-during-DnsStream-creation.patch:
    - Fix bug in refcounting TCP stream types (LP: #1849658)
  * d/p/lp1850704/0001-networkd-Unify-set-MTU.patch,
    d/p/lp1850704/0002-network-drop-redundant-lines.patch:
    - Fix setting mtu if interface already up (LP: #1850704)
  * d/extra/dhclient-enter-resolved-hook:
    - only restart resolved if dhclient conf changed (LP: #1805183)

 -- Dan Streetman <email address hidden> Fri, 15 Nov 2019 10:01:16 -0500

i fixed the issue simply but changing the link from the stub resolver to just point at resolv.conf with just nameserver lines...