nss-resolve should return NOTFOUND rather than UNAVAIL on DNSSEC validation failure #4157

Closed
andersk opened this Issue Sep 15, 2016 · 1 comment

Projects

None yet

2 participants

@andersk
andersk commented Sep 15, 2016

Submission type

  • Bug report
  • Request for enhancement (RFE)

systemd version the issue has been seen with

231

Used distribution

Ubuntu 16.10

Ubuntu has configured nsswitch.conf as follows:

hosts: files resolve dns

in order to get a fallback from libnss_resolve.so to libnss_dns.so if the former is missing for the current architecture. Unfortunately, by doing so, they broke DNSSEC validation: a validation failure also triggers the fallback, and the query will be retried through libnss_dns.so when it should fail. They also made NXDOMAIN lookups twice as slow, for the same reason.

The NXDOMAIN problem is simple enough to fix:

hosts: files resolve [!UNAVAIL=return] dns

Unfortunately, this is insufficient to fix DNSSEC validation. On validation failures, libnss_resolve.so presently returns UNAVAIL, which glibc treats indistinguishably from libnss_resolve.so being missing.

The only way to fix this is for libnss_resolve.so to return NOTFOUND rather than UNAVAIL on validation failures. It needs to be impossible for an active network attacker to force libnss_resolve.so to return UNAVAIL (whether through an unsigned response, a totally bogus response, or no response at all).

@martinpitt
Contributor

Indeed, UNAVAIL applies to the NSS module, or (depending on your interpretation) to "the queried DNS server does not exist", but not to "the DNS name is invalid" (not existing or failed validation) -- that's clearly NOTFOUND. Thanks for spotting!

@martinpitt martinpitt added the resolve label Sep 16, 2016
@martinpitt martinpitt self-assigned this Sep 16, 2016
@martinpitt martinpitt added a commit to martinpitt/systemd that referenced this issue Sep 16, 2016
@martinpitt martinpitt nss-resolve: return NOTFOUND instead of UNAVAIL for DNSSEC validation…
… failures

It needs to be possible to tell apart "the nss-resolve module does not exist"
(which can happen when running foreign-architecture programs) from "the queried
DNS name failed DNSSEC validation". The latter is much more like "host not
found" (NXDOMAIN), so return UNAVAIL for these cases too.

This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns".

Fixes #4157
7812fc3
@martinpitt martinpitt added the has-pr label Sep 16, 2016
@martinpitt martinpitt added a commit to martinpitt/systemd that referenced this issue Sep 16, 2016
@martinpitt martinpitt nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors
It needs to be possible to tell apart "the nss-resolve module does not exist"
(which can happen when running foreign-architecture programs) from "the queried
DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these
cases too, and only keep UNAVAIL for the cases where we cannot handle the given
address family.

This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage.

This does not change behaviour if resolved is not running, as that already
falls back to the "dns" glibc module.

Fixes #4157
3aafe1a
@martinpitt martinpitt added a commit to martinpitt/systemd that referenced this issue Oct 1, 2016
@martinpitt martinpitt nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors
It needs to be possible to tell apart "the nss-resolve module does not exist"
(which can happen when running foreign-architecture programs) from "the queried
DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these
cases too, and only keep UNAVAIL for the cases where we cannot handle the given
address family.

This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage.

This does not change behaviour if resolved is not running, as that already
falls back to the "dns" glibc module.

Fixes #4157
d724751
@keszybz keszybz closed this in #4164 Oct 1, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment