[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Ondřej Surý
ondrej.sury at nic.cz
Tue Jun 7 06:41:45 UTC 2016
----- Original Message -----
> From: "Peter van Dijk" <peter.van.dijk at powerdns.com>
> To: dns-operations at dns-oarc.net
> Sent: Monday, June 6, 2016 5:37:28 PM
> Subject: Re: [dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
> Paul,
>
> On 5 Jun 2016, at 20:40, Paul Wouters wrote:
>
>> Of course, this kind of systemd-resolvd bad practise is why security
>> aware
>> applications (like libreswan) will want to do their own validation
>> because
>> it simply cannot trust the AD bit from sources like systemd-resolved.
>> Which is exactly what systemd-resolvd was supposed to solve....
>
> Are you saying systemd-resolved will set an AD bit even when a downgrade
> has happened?
systemd-resolved plugs into nsswitch, so there's no AD in the beginning...
From: https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
> The glibc NSS module nss-resolve(8) is required to permit glibc's NSS resolver functions to resolve host names via systemd-resolved.
https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
O.
--
Ondřej Surý -- Technical Fellow
--------------------------------------------
CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC
Milesovska 5, 130 00 Praha 3, Czech Republic
mailto:ondrej.sury at nic.cz https://nic.cz/
--------------------------------------------
More information about the dns-operations
mailing list