systemd-resolved DNSSEC implementation does not protect against cache poisoning

Bug #2027797 reported by Petr Menšík
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd
New
Unknown
systemd (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Steps required are at upstream issue https://github.com/systemd/systemd/issues/25676

Unfortunately it has been reported publicly for 3 years in https://github.com/systemd/systemd/issues/15158, so no embargo makes sense

Tags: dnssec
Petr Menšík (pihhan)
information type: Private Security → Public Security
Revision history for this message
Petr Menšík (pihhan) wrote :

Because systemd-resolved is preinstalled not only on desktop, but also server variant, I expect some people may decide to protect their dns cache. Unfortunately it does not tell them it won't work.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the report; it's my understanding that "real" DNSSEC deployments at sites that care will do all the DNSSEC enforcement with a local recursor because the application APIs are immature / underspecified / etc.

Such centralization also makes it far easier for the DNS operations team to work around misconfigured DNSSEC systems in the wild by setting Negative Trust Anchors on portions of the DNS tree (as described at https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors ) when necessary.

Thanks

Changed in systemd (Ubuntu):
status: New → Confirmed
Nick Rosbrook (enr0n)
Changed in systemd (Ubuntu):
importance: Undecided → Low
Changed in systemd:
status: Unknown → New
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.