[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Paul Wouters
paul at nohats.ca
Mon Jun 6 18:07:01 UTC 2016
On Mon, 6 Jun 2016, Peter van Dijk wrote:
> On 5 Jun 2016, at 20:40, Paul Wouters wrote:
>
>> Of course, this kind of systemd-resolvd bad practise is why security aware
>> applications (like libreswan) will want to do their own validation because
>> it simply cannot trust the AD bit from sources like systemd-resolved.
>> Which is exactly what systemd-resolvd was supposed to solve....
>
> Are you saying systemd-resolved will set an AD bit even when a downgrade has
> happened?
I phrased that poorly.
It won't set a bogus AD bit. You just might be missing a valid
response that would have had an AD bit because it didn't come
in as the first answer.
Paul
More information about the dns-operations
mailing list