[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

P Vixie paul at redbarn.org
Mon Jun 6 02:38:43 UTC 2016


+1 to this approach.

On June 5, 2016 6:51:03 PM PDT, Mark Andrews <marka at isc.org> wrote:
>
>In message <20160606092634.32fddbf7 at pallas.home.time-travellers.org>,
>Shane Kerr writes:
>> Paul,
>>
>> At 2016-06-05 14:29:20 -0400
>> Paul Wouters <paul at nohats.ca> wrote:
>>
>> > On Fri, 3 Jun 2016, Phil Regnauld wrote:
>> >
>> > >> 	... apparently it doesn't do source port randomization. Ouch.
>> > >>
>> > >> 	That's a real step backwards if that's the case.
>> > >
>> > > 	Ok, this was implemented in systemd 220:
>> > >
>> > > https://github.com/systemd/systemd/blob/master/NEWS
>> > >
>> > > * systemd-resolved now implements RFC5452 to improve resilience
>against
>> > > cache poisoning. Additionally, source port randomization is
>enabled
>> > > by default to further protect against DNS spoofing attacks.
>> >
>> > systemd-resolved requires a forwarder. It is not a full DNS
>recursive
>> > server. So source port randomization is pretty useless as you are
>most
>> > likely just doing DNS on the local network.
>>
>> Minor point: According to Geoff Huston something like 10% of the
>users
>> of the world use 8.8.8.8 as their resolver, at least as of a couple
>> years ago:
>>
>> http://www.potaroo.net/ispcol/2014-11/resolvers.html
>>
>> So the idea that stub resolvers talk to DNS on the local network is
>not
>> true in hundreds of millions of cases. Adding source port
>randomization
>> will help the (admittedly crappy) protection against out-of-path
>> spoofing for these users.
>
>Adding DNS COOKIE support (RFC 7873) will do a even better job and
>help with other issues.  With working DNS COOKIE support you don't
>need to do port randomisation.
>
>Mark
>
>> Cheers,
>> 
>> --
>> Shane
>-- 
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160606/142470d3/attachment.html>


More information about the dns-operations mailing list