[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Phil Regnauld regnauld at nsrc.org
Fri Jun 3 08:55:22 UTC 2016


Phil Regnauld (regnauld) writes:
> 
> 	Read the thread, and this came up:
> 
> 	https://lists.ubuntu.com/archives/ubuntu-devel/2016-May/039370.html
> 
> 	... apparently it doesn't do source port randomization. Ouch.
> 
> 	That's a real step backwards if that's the case.

	Ok, this was implemented in systemd 220:

https://github.com/systemd/systemd/blob/master/NEWS

* systemd-resolved now implements RFC5452 to improve resilience against
cache poisoning. Additionally, source port randomization is enabled
by default to further protect against DNS spoofing attacks.

	Regarding RFC5011, from:

	https://www.freedesktop.org/software/systemd/man/dnssec-trust-anchors.d.html

"Note that systemd-resolved will not update its trust anchor database
from DNS servers automatically. Instead, it is recommended to update the
resolver software or update the new trust anchor via adding in new trust
anchor files."

	It's great if you're on a desktop or mobile device that MAY get updated
	regularly, but if the TA changes between software updates, that sucks.




More information about the dns-operations mailing list