[Bug 2027797] Re: systemd-resolved DNSSEC implementation does not protect against cache poisoning
Seth Arnold
2027797 at bugs.launchpad.net
Fri Jul 14 17:24:43 UTC 2023
Thanks for the report; it's my understanding that "real" DNSSEC
deployments at sites that care will do all the DNSSEC enforcement with a
local recursor because the application APIs are immature /
underspecified / etc.
Such centralization also makes it far easier for the DNS operations team
to work around misconfigured DNSSEC systems in the wild by setting
Negative Trust Anchors on portions of the DNS tree (as described at
https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors )
when necessary.
Thanks
** Changed in: systemd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2027797
Title:
systemd-resolved DNSSEC implementation does not protect against cache
poisoning
Status in systemd package in Ubuntu:
Confirmed
Bug description:
Steps required are at upstream issue
https://github.com/systemd/systemd/issues/25676
Unfortunately it has been reported publicly for 3 years in
https://github.com/systemd/systemd/issues/15158, so no embargo makes
sense
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2027797/+subscriptions
More information about the foundations-bugs
mailing list