[Bug 1857639] Re: DNS server capability detection is broken and has critical consequences when DNSSEC is enabled
Avamander
avamander at gmail.com
Thu Dec 26 20:24:02 UTC 2019
** Description changed:
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected correctly
and DNSSEC to keep working. Alternatively I'd expect a method of
disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops resolving
all together (fails closed, which is somewhat good). Capability reset is
a very temporary fix.
+
+ A suggested fix could be (ordered based on how nice of a solution it
+ is):
+
+ a. The capability detection is fixed
+ (https://github.com/systemd/systemd/issues/9384)
+
+ b. Force-disabling capability detection exists
+ (https://github.com/systemd/systemd/issues/14435)
+
+ c. Patch Ubuntu version not to allow such a foot gun, update
+ documentation
+
+ d. Remove DNSSEC from resolved
** Description changed:
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected correctly
and DNSSEC to keep working. Alternatively I'd expect a method of
disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops resolving
all together (fails closed, which is somewhat good). Capability reset is
a very temporary fix.
A suggested fix could be (ordered based on how nice of a solution it
is):
a. The capability detection is fixed
(https://github.com/systemd/systemd/issues/9384)
- b. Force-disabling capability detection exists
- (https://github.com/systemd/systemd/issues/14435)
+ b. Force-disabling capability detection exists (this is what I also
+ requested here: https://github.com/systemd/systemd/issues/14435)
c. Patch Ubuntu version not to allow such a foot gun, update
- documentation
+ documentation (this is theoretically what Ubuntu could do meanwhile)
d. Remove DNSSEC from resolved
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1857639
Title:
DNS server capability detection is broken and has critical
consequences when DNSSEC is enabled
Status in systemd:
Unknown
Status in systemd package in Ubuntu:
New
Bug description:
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected
correctly and DNSSEC to keep working. Alternatively I'd expect a
method of disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops
resolving all together (fails closed, which is somewhat good).
Capability reset is a very temporary fix.
A suggested fix could be (ordered based on how nice of a solution it
is):
a. The capability detection is fixed
(https://github.com/systemd/systemd/issues/9384)
b. Force-disabling capability detection exists (this is what I also
requested here: https://github.com/systemd/systemd/issues/14435)
c. Patch Ubuntu version not to allow such a foot gun, update
documentation (this is theoretically what Ubuntu could do meanwhile)
d. Remove DNSSEC from resolved
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1857639/+subscriptions
More information about the foundations-bugs
mailing list