[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Paul Wouters paul at nohats.ca
Sun Jun 5 18:40:13 UTC 2016


On Fri, 3 Jun 2016, Erwin Lansing wrote:

> Opportunistic DNSSEC works around this problem, but at the cost of breaking its security promise.  I would very much argue that false security is worse than no security.

The solution here is to allow dnssec-downgrade only for those records
where it should cause little to no harm. If you are on a random hotspot,
they already own your routing table, so protecting A records is futile.
So if an A record is expired, or bogus, the resolver might as well just
serve it to the application. It's not worse then upstream redirecting
the IP address the A record points to.

What you should never do is serve bogus TLSA, IPSECKEY, SSHFP, etc
records. Those MUST be protected by DNSSEC.

That way, applications using DNSSEC are still protected, and most DNSSEC
outages like expired records won't cause unreachability.

Of course, this kind of systemd-resolvd bad practise is why security aware
applications (like libreswan) will want to do their own validation because
it simply cannot trust the AD bit from sources like systemd-resolved.
Which is exactly what systemd-resolvd was supposed to solve....

Paul



More information about the dns-operations mailing list