nss-resolve should return NOTFOUND rather than UNAVAIL on DNSSEC validation failure #4157
Closed
1 of 2 tasks
Assignees
Labels
Comments
|
Indeed, |
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Sep 16, 2016
… failures It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation". The latter is much more like "host not found" (NXDOMAIN), so return UNAVAIL for these cases too. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Fixes systemd#4157
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Sep 16, 2016
It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these cases too, and only keep UNAVAIL for the cases where we cannot handle the given address family. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage. This does not change behaviour if resolved is not running, as that already falls back to the "dns" glibc module. Fixes systemd#4157
martinpitt
added a commit
to martinpitt/systemd
that referenced
this issue
Oct 1, 2016
It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these cases too, and only keep UNAVAIL for the cases where we cannot handle the given address family. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage. This does not change behaviour if resolved is not running, as that already falls back to the "dns" glibc module. Fixes systemd#4157
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Submission type
systemd version the issue has been seen with
Used distribution
Ubuntu has configured nsswitch.conf as follows:
in order to get a fallback from libnss_resolve.so to libnss_dns.so if the former is missing for the current architecture. Unfortunately, by doing so, they broke DNSSEC validation: a validation failure also triggers the fallback, and the query will be retried through libnss_dns.so when it should fail. They also made NXDOMAIN lookups twice as slow, for the same reason.
The NXDOMAIN problem is simple enough to fix:
Unfortunately, this is insufficient to fix DNSSEC validation. On validation failures, libnss_resolve.so presently returns UNAVAIL, which glibc treats indistinguishably from libnss_resolve.so being missing.
The only way to fix this is for libnss_resolve.so to return NOTFOUND rather than UNAVAIL on validation failures. It needs to be impossible for an active network attacker to force libnss_resolve.so to return UNAVAIL (whether through an unsigned response, a totally bogus response, or no response at all).
The text was updated successfully, but these errors were encountered: