[Bug 1796501] Re: systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Launchpad Bug Tracker
1796501 at bugs.launchpad.net
Thu Oct 10 23:29:50 UTC 2019
This bug was fixed in the package systemd - 242-7ubuntu2
---------------
systemd (242-7ubuntu2) eoan; urgency=medium
[ Bryan Quigley ]
* Update patch for resolved: Mitigate DVE-2018-0001, by retrying NXDOMAIN
without EDNS0. This disables the workaround if DNSSEC=yes.
Falls back directly to simple UDP instead of trying an intermediate.
(LP: #1796501)
Author: Bryan Quigley
File: debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2974114ed9b89ea922a23893e8eff70d5cac77fe
[ Balint Reczey ]
* Pass personality test even when i386 userland runs on amd64 kernel
File: debian/patches/debian/UBUNTU-test-Pass-personality-test-even-when-i386-userland-runs-o.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=42e0bfc426f19430f6768ef4922a9531a345765f
* Refresh patches
Files:
- debian/patches/Revert-namespace-be-more-careful-when-handling-namespacin.patch
- debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch
- debian/patches/test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff8387be07322230e9afe87f1c767ee241e9a0e1
-- Balint Reczey <rbalint at ubuntu.com> Tue, 08 Oct 2019 22:31:17 +0200
** Changed in: systemd (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1796501
Title:
systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Bionic:
In Progress
Status in systemd source package in Cosmic:
Won't Fix
Status in systemd source package in Disco:
In Progress
Bug description:
[impact]
an NXDOMAIN response from a dns server when systemd-resolved is
configured as DNSSEC=yes breaks dns resolution as it downgrades from
DNSSEC.
[test case]
see comment 9
[regression potential]
as with the original patch that introduced this problem, this has the
potential to break dns resolution.
[other info]
original description:
I ask systemd-resolved through dig to resolve the SOA of test.asdf. (doesn't exist) but it returns SERVFAIL instead of NXDOMAIN. It seems to do the following steps:
1. Ask upstream for SOA of test.asdf. with EDNS0, DO-bit and 4k size.
2. Ask upstream for SOA of test.asdf. with EDNS0 and DO-bit.
3. Ask upstream for SOA of test.asdf. with EDNS0.
4. Ask upstream for SOA of test.asdf. without EDNS0.
5. Repeat 1-4 for DS of test.asdf.
6. Repeat 1-5 for asdf.
7. Ask upstream for SOA of . with EDNS0, DO-bit and 4k size.
8. Ask upstream for DNSKEY of . with EDNS0, DO-bit and 4k size.
The upstream returns an unfragmented NXDOMAIN response for steps 1-6,
an unfragmented NOERROR response for step 7 and a fragmented NOERROR
response for step 8 which is the correct behaviour. DNSSEC records are
included in the response if the DO-bit in the request was set.
systemd-resolved should take the response from step 1 and start with
validation instead of starting useless retries with reduced feture
set. Step 3 and 4 are completely useless and probably lead to the
SERVFAIL because I have configured it with DNSSEC=yes to prevent
downgrade attacks.
This regression seems to be caused by the patch resolved-Mitigate-
DVE-2018-0001-by-retrying-NXDOMAIN-with.patch. The downgrade logic
should only be executed if it is configured as DNSSEC=allow-downgrade
or DNSSEC=no. See also
https://github.com/systemd/systemd/pull/8608#issuecomment-396927885.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796501/+subscriptions
More information about the foundations-bugs
mailing list