[dns-operations] systemd resolved ignores specified root
Derek Wilson
jderekwilson at gmail.com
Thu Sep 17 14:12:11 UTC 2020
> Actually if the name ends in a period, the name is tried “as is” and the search list
> is NOT applied.
I agree that this is how it should be, but systemd-resolved DOES NOT
DO THIS for single label names which is the whole problem here and in
the github issue.
On a systemd box, `uz.` is not treated as an FQDN and if `uz` does not
exist in a search domain, resolved will tell you SERVFAIL. For `dk.`
and `ai.` as well this is particularly at issue because all three of
these names have A records for IPs behind which their registries run
webservers.
What's super unexpected is this:
$ nslookup com.
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find com: SERVFAIL
Which exits 1 on systemd linux but exits 0 with NODATA on mac. This
breaks stuff.
Maybe there are only a handful of use cases for which this breaks
things, but one of those use cases is security research around TLDs in
DNS which seems important.
> Applying a search list when the user/application has told the system not to is
> a security risk. Changing API behaviour to ignore well known mechanisms to do
> this is a security risk.
Agreed - this means systemd resolved treatment of TLDs with trailing
dots as not-fully-qualified is a security problem.
More information about the dns-operations
mailing list