[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Ondřej Surý ondrej.sury at nic.cz
Tue Jun 7 06:41:45 UTC 2016

----- Original Message -----
> From: "Peter van Dijk" <peter.van.dijk at powerdns.com>
> To: dns-operations at dns-oarc.net
> Sent: Monday, June 6, 2016 5:37:28 PM
> Subject: Re: [dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

> Paul,
> On 5 Jun 2016, at 20:40, Paul Wouters wrote:
>> Of course, this kind of systemd-resolvd bad practise is why security
>> aware
>> applications (like libreswan) will want to do their own validation
>> because
>> it simply cannot trust the AD bit from sources like systemd-resolved.
>> Which is exactly what systemd-resolvd was supposed to solve....
> Are you saying systemd-resolved will set an AD bit even when a downgrade
> has happened?

systemd-resolved plugs into nsswitch, so there's no AD in the beginning...

From: https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html

> The glibc NSS module nss-resolve(8) is required to permit glibc's NSS resolver functions to resolve host names via systemd-resolved.


 Ondřej Surý -- Technical Fellow
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury at nic.cz    https://nic.cz/

More information about the dns-operations mailing list