[Bug 288011] Re: dns resolver does not support dnssec
Laurent Bonnaud
L.Bonnaud at laposte.net
Sun Mar 12 17:28:53 UTC 2017
Ubuntu 17.04 now uses systemd-resolved to perform DNS resolution and
systemd-resolved does support DNSSEC:
# journalctl |grep DNSSEC
Mar 12 14:57:53 xeelee systemd-resolved[25023]: DNSSEC validation failed for question ubuntu.com IN DS: failed-auxiliary
Mar 12 14:57:53 xeelee systemd-resolved[25023]: DNSSEC validation failed for question ubuntu.com IN SOA: failed-auxiliary
** Changed in: glibc (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/288011
Title:
dns resolver does not support dnssec
Status in glibc package in Ubuntu:
Fix Released
Bug description:
RES_USE_DNSSEC is not defined in /usr/include/resolv.h. Even if I do
set bit 0x02000000 (the usual definition of this) in the options for
res_query, and I have "options edns0" in my resolv.conf, I don't get
an authenticated response from the server.
I've attached a pcap file with three queries. The first is generated
by DIG, and shows that the server is authenticating data when
requested. The second and third were generated by OpenSSH. I note that
the first and third queries appear to be identical except for the port
number and request ID; from the trace I cannot see why the server
authenticated the first response, but not the second.
Anyway, this is a security issue for those of us who rely on DNSSEC.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/288011/+subscriptions
More information about the foundations-bugs
mailing list