[dns-operations] More DNSSEC validators to expect

Paul Wouters paul at nohats.ca
Tue May 24 05:00:22 UTC 2016

On Sun, 22 May 2016, Stephane Bortzmeyer wrote:

> New version of Linux' systemd has DNSEC validation enabled by default:
> http://news.softpedia.com/news/systemd-230-launches-with-dnssec-enabled-by-default-in-systemd-resolved-more-504339.shtml

Which sends out all application queries over all interfaces to all
DNS servers, and uses the first answer that comes back irrespective of
DNSSEC status.

This will be bad for split-DNS (VPN) queries and DNS privacy in general,
and additionally will ensure a local attacker will always win from the
real answer.

As it uses nsswitch, it will also still do all of this even if you
run a local validating nameserver. Since systemd-resolved itself
does not cache, at least over time you will get a better chance
of not getting poisoned, if you do run a local DNS server.

systemd-resolvd also implements its own resolver, and uses dbus/xml
to convert DNS queries from wire format to internal format to wire
format before it hits the application. So this requires continuous
active maintanance on the DNS protocol by the software vendor.

I cannot recommend using this software in the current form.


More information about the dns-operations mailing list