New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFE: Certificate checking for Resolveds DNS over TLS feature #9397

Open
shibumi opened this Issue Jun 24, 2018 · 2 comments

Comments

3 participants
@shibumi
Contributor

shibumi commented Jun 24, 2018

Since systemd 239 systemd-resolved supports DNS over TLS. Currently (systemd version 239) systemd-resolved does not certificate checking for DNS Servers as covered in this PR: #8849

This issue is for keeping track of certificate checking for DNS over TLS.
One possible solution could be to add a new format for the DNS-Servers in the /etc/systemd/resolved.conf file. A possible solution would be an IP/hostname Tuple. This would allow hostname based certificate validation. More Details about this idea here: #8849 (comment)

@ott

This comment has been minimized.

Show comment
Hide comment
@ott

ott Aug 31, 2018

Contributor

I would recommend to not a IP address hostname tuples.

I think there are two possibilities: either an IP address of the DNS server or the hostname of the upstream resolver are provided. The Baseline Requirements of the CA/Browser Forum allow certificates to be issued for IP addresses and hostnames, so both are possible. For example, Cloudflare's DNS resolvers have an X.509 certificate with the following Subject Alternative Name: DNS:*.cloudflare-dns.com, IP Address:1.1.1.1, IP Address:1.0.0.1, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001.

If just the hostname is known, it might be required to resolve it first over unencrypted DNS or some form of unencrypted multicast DNS. Nonetheless, I don't think that it will cause major problems.

However, it might be harder to operate a DNS resolver that supports DNS over TLS and which has IP addresses which are made public over DHCP or IPv6 RA Options. It seems that not all CAs will issue certificates for IP addresses, in particular Let's Encrypt does not. RFC 8106 and RFC 3646 also just allow IP addresses and not hostnames. It gets particularly bad if the DNS resolvers just have link-local or private IP addresses. No CA will issue certificates for them.

Contributor

ott commented Aug 31, 2018

I would recommend to not a IP address hostname tuples.

I think there are two possibilities: either an IP address of the DNS server or the hostname of the upstream resolver are provided. The Baseline Requirements of the CA/Browser Forum allow certificates to be issued for IP addresses and hostnames, so both are possible. For example, Cloudflare's DNS resolvers have an X.509 certificate with the following Subject Alternative Name: DNS:*.cloudflare-dns.com, IP Address:1.1.1.1, IP Address:1.0.0.1, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001.

If just the hostname is known, it might be required to resolve it first over unencrypted DNS or some form of unencrypted multicast DNS. Nonetheless, I don't think that it will cause major problems.

However, it might be harder to operate a DNS resolver that supports DNS over TLS and which has IP addresses which are made public over DHCP or IPv6 RA Options. It seems that not all CAs will issue certificates for IP addresses, in particular Let's Encrypt does not. RFC 8106 and RFC 3646 also just allow IP addresses and not hostnames. It gets particularly bad if the DNS resolvers just have link-local or private IP addresses. No CA will issue certificates for them.

@ott

This comment has been minimized.

Show comment
Hide comment
@ott

ott Aug 31, 2018

Contributor

It seems that it also has implications for #5873.

Contributor

ott commented Aug 31, 2018

It seems that it also has implications for #5873.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment