[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Paul Wouters paul at nohats.ca
Mon Jun 6 18:07:01 UTC 2016

On Mon, 6 Jun 2016, Peter van Dijk wrote:

> On 5 Jun 2016, at 20:40, Paul Wouters wrote:
>>  Of course, this kind of systemd-resolvd bad practise is why security aware
>>  applications (like libreswan) will want to do their own validation because
>>  it simply cannot trust the AD bit from sources like systemd-resolved.
>>  Which is exactly what systemd-resolvd was supposed to solve....
> Are you saying systemd-resolved will set an AD bit even when a downgrade has 
> happened?

I phrased that poorly.

It won't set a bogus AD bit. You just might be missing a valid
response that would have had an AD bit because it didn't come
in as the first answer.


More information about the dns-operations mailing list