Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC doesn't prevent MITM #15158

Closed
BryanQuigley opened this issue Mar 18, 2020 · 9 comments · Fixed by #30549
Closed

DNSSEC doesn't prevent MITM #15158

BryanQuigley opened this issue Mar 18, 2020 · 9 comments · Fixed by #30549
Labels
dnssec downstream/fedora Tracking bugs for Fedora downstream/rhel Tracking bugs for RHEL resolve

Comments

@BryanQuigley
Copy link

BryanQuigley commented Mar 18, 2020
edited

systemd version the issue has been seen with

244.3-1ubuntu1 / v243.7-1.fc31

Used distribution

Primarily Ubuntu 20.04, but also tested with Fedora 31

Expected behaviour you didn't see

I expect DNSSEC=yes especially to protect against MITM attacks and fail to return anything if it's signed incorrectly. This is reproducible with any DNSSEC domain - another good example is mozilla.org.

Unexpected behaviour you saw

No indication at all that validation failed

Steps to reproduce the problem

  1. Pick a domain that is dnssec signed (mozilla.org/bryanquigley.com)- and confirm you have it working with:

resolvectl query bryanquigley.com
bryanquigley.com: 2606:4700:3035::6812:23a6 -- link: enp34s0
2606:4700:3030::6812:22a6 -- link: enp34s0
104.18.35.166 -- link: enp34s0
104.18.34.166 -- link: enp34s0
-- Information acquired via protocol DNS in 159.1ms.
-- Data is authenticated: yes

  1. sudo resolvectl flush-caches
  2. Add a DNS record on your DNS server for bryanquigley.com/mozilla.org to point to 1.0.0.0.
  3. resolvectl query bryanquigley.com
    bryanquigley.com: 2606:4700:3030::6812:22a6 -- link: enp34s0
    2606:4700:3035::6812:23a6 -- link: enp34s0
    1.0.0.0 -- link: enp34s0

-- Information acquired via protocol DNS in 129.2ms.
-- Data is authenticated: no
It just reports that data is not authenticated, when I think it should fail (or just report the IPv6 bit).

The DNS server in question ( a home router in this case is doing the right thing according to delv):
Normal:
delv bryanquigley.com @192.168.254.254
; fully validated
bryanquigley.com. 300 IN A 104.18.34.166
bryanquigley.com. 300 IN A 104.18.35.166
bryanquigley.com. 300 IN RRSIG A 13 2 300 20200319200516 20200317180516 34505 bryanquigley.com. psckwes4JdpZs7rmjh3rriOXGzwNLaImx6TCHGFsaNbJeKS49YYpgwdm HTmGSm9/p/ZnRU6o8hbGg2vOTYVj4A==

MITM:
delv bryanquigley.com @192.168.254.254
;; insecurity proof failed resolving 'bryanquigley.com/A/IN': 192.168.254.254#53
;; resolution failed: insecurity proof failed
@BryanQuigley
Copy link
Author

Detailed log of resolvectl query bryanquigley.com with incorrect IP entry.
Mar 26 09:00:15 desktop systemd-resolved[112341]: idn2_lookup_u8: bryanquigley.com → bryanquigley.com
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking up RR for bryanquigley.com IN A.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking up RR for bryanquigley.com IN AAAA.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=AddMatch cookie=4 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetNameOwner cookie=5 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.243 path=n/a interface=n/a member=n/a cookie=7 reply_cookie=5 signature=s error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Switching to DNS server 192.168.254.254 for interface enp34s0.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for bryanquigley.com IN AAAA
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 23326 for <bryanquigley.com IN AAAA> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 23326.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 23326.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 23326.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for bryanquigley.com IN A
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 39081 for <bryanquigley.com IN A> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 39081.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 39081.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 39081.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Got message type=method_return sender=org.freedesktop.DBus destination=:1.243 path=n/a interface=n/a member=n/a cookie=6 reply_cookie=4 signature=n/a error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Match type='signal',sender='org.freedesktop.DBus',path='/org/freedesktop/DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',arg0=':1.245' successfully installed.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 39081 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Verified we get a response at feature level UDP+EDNS0+DO from DNS server 192.168.254.254.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting SOA to validate transaction 39081 (bryanquigley.com, unsigned non-SOA/NS RRset <bryanquigley.com IN A 1.0.0.0>).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for bryanquigley.com IN SOA
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 55946 for <bryanquigley.com IN SOA> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 55946.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 55946.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 55946.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 23326 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DNSKEY to validate transaction 23326 (bryanquigley.com, RRSIG with key tag: 34505).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for bryanquigley.com IN DNSKEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 63174 for <bryanquigley.com IN DNSKEY> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 63174.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 63174.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 63174.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 55946 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DNSKEY to validate transaction 55946 (bryanquigley.com, RRSIG with key tag: 34505).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 63174 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 63174 (bryanquigley.com, DNSKEY with key tag: 34505).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for bryanquigley.com IN DS
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 15260 for <bryanquigley.com IN DS> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 15260.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 15260.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 15260.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 63174 (bryanquigley.com, DNSKEY with key tag: 2371).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 15260 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DNSKEY to validate transaction 15260 (bryanquigley.com, RRSIG with key tag: 56311).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for com IN DNSKEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 4769 for scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 4769.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 4769.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 4769.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 4769 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 4769 (com, DNSKEY with key tag: 56311).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for com IN DS
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 54129 for scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 54129.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 54129.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 54129.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 4769 (com, DNSKEY with key tag: 30909).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 54129 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DNSKEY to validate transaction 54129 (com, RRSIG with key tag: 33853).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Cache miss for . IN DNSKEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 18732 for <. IN DNSKEY> scope dns on enp34s0/.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using feature level UDP+EDNS0+DO+LARGE for transaction 18732.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Using DNS server 192.168.254.254 for transaction 18732.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sending query packet with id 18732.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Processing incoming packet on transaction 18732 (rcode=SUCCESS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 18732 (., DNSKEY with key tag: 20326).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 18732 (., DNSKEY with key tag: 48903).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Requesting DS to validate transaction 18732 (., DNSKEY with key tag: 33853).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 18732 (. IN DNSKEY).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at . IN DNSKEY 257 3 RSASHA256 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbz
Mar 26 09:00:15 desktop systemd-resolved[112341]: xeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlN
Mar 26 09:00:15 desktop systemd-resolved[112341]: Vz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3E
Mar 26 09:00:15 desktop systemd-resolved[112341]: gVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+
Mar 26 09:00:15 desktop systemd-resolved[112341]: sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXx
Mar 26 09:00:15 desktop systemd-resolved[112341]: uOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555
Mar 26 09:00:15 desktop systemd-resolved[112341]: KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Flags: SEP ZONE_KEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Key tag: 20326: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup . IN DNSKEY: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for . IN DNSKEY 7200s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for . IN DNSKEY 7200s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for . IN DNSKEY 7200s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 18732 for <. IN DNSKEY> on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 54129 (com IN DS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at com IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup com IN DS: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for com IN DS 7200s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 54129 for on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 4769 (com IN DNSKEY).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at com IN DNSKEY 256 3 RSASHA256 AwEAAcpiOic4s641IPlBcMlBWA0FFomUWuKDWN5CzId/la4aA6
Mar 26 09:00:15 desktop systemd-resolved[112341]: 9RFpakRxPSZM8fegOQ+nYDrUY6UZkQRsowPr18b+MqyvHBUaT6
Mar 26 09:00:15 desktop systemd-resolved[112341]: CJUBkdRwlVcD/ikpcjvfGEiH5ttpDdZdS/YKZLBedh/uMCDLNS
Mar 26 09:00:15 desktop systemd-resolved[112341]: 0baJ+nfkmMZGkYGgnK9K8peU9unWbwAOrJlrK60flM84EUolII
Mar 26 09:00:15 desktop systemd-resolved[112341]: YD6s9g/FfyVB0tE86fE=
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Flags: ZONE_KEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Key tag: 56311: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup com IN DNSKEY: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for com IN DNSKEY 765s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for com IN DNSKEY 765s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 4769 for on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 15260 (bryanquigley.com IN DS).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at bryanquigley.com IN DS 2371 13 2 77ecae1e5d5dfeb67b8aabe232b43456c0d1849ccdb0ed6f77ed599760cb6c4d: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup bryanquigley.com IN DS: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN DS 7200s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 15260 for <bryanquigley.com IN DS> on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 63174 (bryanquigley.com IN DNSKEY).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at bryanquigley.com IN DNSKEY 256 3 ECDSAP256SHA256
Mar 26 09:00:15 desktop systemd-resolved[112341]: oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMG
Mar 26 09:00:15 desktop systemd-resolved[112341]: PmM1x8fGAa2XhSA==
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Flags: ZONE_KEY
Mar 26 09:00:15 desktop systemd-resolved[112341]: -- Key tag: 34505: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup bryanquigley.com IN DNSKEY: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN DNSKEY 3600s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN DNSKEY 3600s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 63174 for <bryanquigley.com IN DNSKEY> on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 23326 (bryanquigley.com IN AAAA).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at bryanquigley.com IN AAAA 2606:4700:3030::6812:22a6: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup bryanquigley.com IN AAAA: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN AAAA 300s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN AAAA 300s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 23326 for <bryanquigley.com IN AAAA> on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 55946 (bryanquigley.com IN SOA).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at bryanquigley.com IN SOA dave.ns.cloudflare.com dns.cloudflare.com 2033673929 10000 2400 604800 3600: validated
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup bryanquigley.com IN SOA: secure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Added positive authenticated cache entry for bryanquigley.com IN SOA 3600s on enp34s0/INET/192.168.254.254
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 55946 for <bryanquigley.com IN SOA> on scope dns on enp34s0/* now complete with from network (authenticated).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Validating response from transaction 39081 (bryanquigley.com IN A).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Looking at bryanquigley.com IN A 1.0.0.0: no-signature
Mar 26 09:00:15 desktop systemd-resolved[112341]: Found verdict for lookup bryanquigley.com IN A: insecure
Mar 26 09:00:15 desktop systemd-resolved[112341]: Not caching zero TTL cache entry: bryanquigley.com IN A
Mar 26 09:00:15 desktop systemd-resolved[112341]: Transaction 39081 for <bryanquigley.com IN A> on scope dns on enp34s0/* now complete with from network (unsigned).
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 23326.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sent message type=method_return sender=n/a destination=:1.245 path=n/a interface=n/a member=n/a cookie=6 reply_cookie=2 signature=a(iiay)st error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Sent message type=method_call sender=n/a destination=org.freedesktop.DBus path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=RemoveMatch cookie=7 reply_cookie=0 signature=s error-name=n/a error-message=n/a
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 39081.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 55946.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 63174.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 15260.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 4769.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 54129.
Mar 26 09:00:15 desktop systemd-resolved[112341]: Freeing transaction 18732.

@dimyme
Copy link

dimyme commented Oct 9, 2020
edited

"systemd-resolved only supports opportunistic DNS over an encrypted channel. Opportunistic here means that it will reach out and connect over TLS when available, but it won’t verify that it’s connecting to the correct server; make it susceptible to the man-in-the-middle interception as described in "Actually secure DNS over TLS in Unbound." "
https://www.ctrl.blog/entry/systemd-resolved.html

manpage says: "Note that in "opportunistic" mode the resolver is not capable of authenticating the server, so it is vulnerable to "man-in-the-middle" attacks."

@pothos pothos mentioned this issue Dec 18, 2020
Merged
pothos added a commit to flatcar/baselayout that referenced this issue Dec 31, 2020
@pothos
systemd: Disable DNSSEC for the mean time
ce9a854 
The DNSSEC downgrade has some problems like
systemd/systemd#10579
and there are a few other issues
like systemd/systemd#17406
and systemd/systemd#15158.
Particularly the failure to resolve in case of a downgrade is causing
problems in the test suite.
@pothos pothos mentioned this issue Dec 31, 2020
Merged
@evverx evverx mentioned this issue Jul 12, 2023
Closed
@vcunat
Copy link

vcunat commented Jul 13, 2023

I don't mean to be aggressive (and I'm developing a kind-of competing SW), but overall I'm baffled by the systemd's approach here. Incurring the extra costs of DNSSEC validation and still not getting its protection... to me personally that sounds worse than either extreme. By the nontrivial extra costs I mean performance to get the extra records, but also various bugs and issues, both in this code and other parties (e.g. when a legitimate domain just breaks its DNSSEC).

@pemensik
Copy link
Contributor

What is more important, default configuration in both Ubuntu and Fedora prevents correct DNSSEC validation from any tool or library on its system. Tools like delv or libraries like unbound or getdns fail, because stub resolver pretends it does not understand DNSSEC queries. Only when DNSSEC validation is enabled in systemd, it allows DO enabled queries to actually receive DNSSEC records from upstream server.

If it did just DNSSEC-aware caching and did not pretent to do validation, it would be better IMO. Proper validation is not simple task to implement. Even worse is when serious issues with it are reported and are ignored for 3 years!

@pemensik pemensik added downstream/rhel Tracking bugs for RHEL downstream/fedora Tracking bugs for Fedora labels Jul 13, 2023
@poettering
Copy link
Member

I don't mean to be aggressive (and I'm developing a kind-of competing SW), but overall I'm baffled by the systemd's approach here. Incurring the extra costs of DNSSEC validation and still not getting its protection...

DNSSEC is off by default, for a reason.

@vcunat
Copy link

vcunat commented Jul 14, 2023

I see "allow-downgrade" as the default: https://github.com/systemd/systemd/blob/main/meson_options.txt#L325

While it's right that "allow-downgrade" can't make impression that it's resistant to MITM, my point about getting the worse from both worlds holds there.

@pemensik
Copy link
Contributor

Both Ubuntu and Fedora change build default to off. Not sure what defaults are on other distributions.

@AgentOak
Copy link

Fixed by #30549 since #25676 was a dup of this issue.

@YHNdnzj YHNdnzj linked a pull request Dec 22, 2023 that will close this issue
resolved: actually check authenticated flag of SOA transaction #30549
Merged
@YHNdnzj YHNdnzj closed this as completed Dec 22, 2023
@pemensik
Copy link
Contributor

The issue is not fixed by #30549 sufficiently, but I would propose to keep just #25676 open. It seems to have more important discussion contained.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dnssec downstream/fedora Tracking bugs for Fedora downstream/rhel Tracking bugs for RHEL resolve
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

resolved: actually check authenticated flag of SOA transaction msekletar/systemd
8 participants
@BryanQuigley @AgentOak @vcunat @poettering @anitazha @pemensik @YHNdnzj @dimyme