[dns-operations] systemd resolved ignores specified root

Mark Andrews marka at isc.org
Wed Sep 16 23:47:13 UTC 2020 


> On 17 Sep 2020, at 08:36, Derek Wilson <jderekwilson at gmail.com> wrote:
> 
>>> Apparently the trailing dot "thing" never hits the wire?
>> 
>> it wouldn't matter. the trailing dot is implicit, so when explicit, it means
>> the same as being absent.
> 
> Is a trailing dot not counted as part of ndots? Either way, resolved
> pick and choose which rtypes you can get back from a TLD regardless of
> trailing dot. I can get SOA and NS but not DS DNSKEY NSEC NSEC3 A or
> AAAA ... for SOA and NS I get NOERROR but for other things I get
> SERVFAIL ... which is ... confusing at best. application breaking at
> worst.

Trailing dot is UI not wire.

>> the common BIND8/BIND4/BSD client library also uses a trailing dot as a signal;
>> the signal is "do a query of the input string first, before trying the search
>> list". this is both weak and confusing, but it's the signal path we had.
> 
> That behavior makes sense to me but maybe that's because it's what I'm used to.

Actually if the name ends in a period, the name is tried “as is” and the search list
is NOT applied.  Interior periods are tried “as is” first then with the search list.
Dotless names are tried with the search list then as is.  ndots tweaks how many interior
dots are ignored for the last two cases.

It used to be that the search list was always tried first but that and default search
lists created security issues with fully qualified names being sent to the wrong machine.
There was the infamous *.edu.com as where all traffic to .edu sites from .com sites was
sent to .edu.com.  See RFC 1535.

Using partially qualified names creates similar issues where “internal” names suddenly
go to external sites as new TLD and their subdomains come on line.  Using foo.cs for
foo.cs.example.edu was a common example of this.  With lots of TLDs they have become
particularly unsafe as it becomes impractical to choose “safe” names.

Similarly not stopping searching on NODATA is also a security issue.

>> i've asked that postfix please add a trailing dot to the names it looks up,
>> because my dns trace logs show the search list being appended regardless of
>> the setting of "options ndots:N" in /etc/resolv.conf. perhaps this can happen,
>> because right now there's a huge exposure of private information (my search
>> list) to noncontracted parties.
> 
> adding the trailing dot would not change behavior on systemd-resolved
> as far as i understand. This behavior IMO will cause more inadvertent
> data leaks which is the opposite of the claim being made by systemd.

Applying a search list when the user/application has told the system not to is
a security risk.  Changing API behaviour to ignore well known mechanisms to do
this is a security risk.

>> getdnsapi.org offers a replacement for the OS library (or for the apps, since
>> apps are now doing their own DNS independent of the OS's settings). the best
>> single thing we could all do for dns goodness is to get systemd to adopt the
>> getdnsapi library, which is license-compatible. raise your voice _there_ if
>> you want the risk of improving the world.
> 
> I hadn't seen that... thanks for the link.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list