[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Ondřej Surý ondrej.sury at nic.cz
Fri Jun 3 12:05:46 UTC 2016

Hi Peter,

ok, so here are my reasons:

1. DNSSEC="allow-downgrade" aka "Opportunistic DNSSEC" is just a horrible idea.  I would compare it to the "I see a wonky certificate, do you want to continue?" in the browsers.  We are still recovering from that.  Deploying DNSSEC at the end-stations is hard (and as far as I understand the efforts in the Fedora/RedHat, they are still failing).  We don't have any way how to signal the user whether the lookup was secure or not, and even if we had the users wouldn't understand the impact.  In my opinion, the only way how to make the computers secure is to require the security.  (This is similar to not enabling 'dnssec-check-unsigned' in dnsmasq.)

2. The static src-ports was already fixed, but I think that making this mistake in the first place is a symptom that writing a secure resolver without talking to the people who deeply understand DNS can turn wrong.  I spoke to Lennart after his FOSDEM talk and while I understand his position on "just fixing broken things", I think it's also important to "fixing" them right and not just with huge "ducktape".

3. DNS is hard.  I've seen to many weird DNS setups to believe that it will not break even if it leaves the heavy-lifting to the upstream DNS resolver.  But... systemd-resolved has to be caching DNSSEC-validating forward (otherwise it would be very expensive) and that brings another set of problems.  And I simply don't believe that this test set[1] covers all the weirdness in the DNS.

4. In the end it might be better than having a default dnsmasq as a resolver, but it still doesn't make it right.

Perhaps I am wrong and systemd-resolved in Ubuntu 16.10 will be a huge success, but my common sense (aka gut feeling) and experience with DNS tells me otherwise.

1. https://github.com/systemd/systemd/tree/master/src/resolve/test-data

 Ondřej Surý -- Technical Fellow
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury at nic.cz    https://nic.cz/

----- Original Message -----
> From: "Peter van Dijk" <peter.van.dijk at powerdns.com>
> To: dns-operations at dns-oarc.net
> Sent: Friday, June 3, 2016 10:41:24 AM
> Subject: Re: [dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

> Hello,
> On 3 Jun 2016, at 9:38, Ondřej Surý wrote:
>> the horrible news as of today:
>> https://lists.ubuntu.com/archives/ubuntu-devel/2016-May/039350.html
>> Shivers...
> To the other responders to your post, apparently it’s super clear why
> this is horrible news. For those of us that are not blessed with such
> insight, can you please elaborate? The reasons given in the linked post
> for doing this appear sensible to me.
> Kind regards,
> --
> Peter van Dijk
> PowerDNS.COM BV - https://www.powerdns.com/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list