Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve: enable RES_TRUSTAD towards the 127.0.0.53 stub resolver #16072

Merged
merged 1 commit into from
Jun 6, 2020
Merged

resolve: enable RES_TRUSTAD towards the 127.0.0.53 stub resolver #16072

merged 1 commit into from
Jun 6, 2020

Conversation

YmrDtnJu
Copy link
Contributor

@YmrDtnJu YmrDtnJu commented Jun 5, 2020

glibc 2.31 strips the AD flag, unless either the application specifies RES_TRUSTAD or the options in resolv.conf contain trust-ad.

See https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD

The DNS stub resolver will optionally send the AD (authenticated data) bit
in queries if the trust-ad option is set via the options directive in
/etc/resolv.conf (or if RES_TRUSTAD is set in _res.options). In this
mode, the AD bit, as provided by the name server, is available to
applications which call res_search and related functions. In the default
mode, the AD bit is not set in queries, and it is automatically cleared in
responses, indicating a lack of DNSSEC validation. (Therefore, the name
servers and the network path to them are treated as untrusted.)

As far as I can read the code in glibc that parses the options option in resolv.conf, older versions of glibc will simply ignore trust-ad as an unknown option.
See https://github.com/bminor/glibc/blob/7455b700279ec8baccf8dd7b119648f8b3e34eec/resolv/res_init.c#L645

@keszybz
Copy link
Member

keszybz commented Jun 5, 2020

Looks reasonable, but the same change should be done to /run/systemd/resolve/stub-resolv.conf which is generated dynamically in src/resolve/resolved-resolv-conf.c.

@keszybz keszybz added resolve reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels Jun 5, 2020
@YmrDtnJu
resolve: enable RES_TRUSTAD towards the 127.0.0.53 stub resolver
5c0bfec 
glibc 2.31 strips the AD flag, unless either the application specifies
RES_TRUSTAD or the options in resolv.conf contain trust-ad.

See https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=NEWS;hb=HEAD
@YmrDtnJu
Copy link
Contributor Author

YmrDtnJu commented Jun 5, 2020

Done.

I don't think that we need to make the option conditional on anything. If resolved does not do DNSSEC validation, the AD bit will not be set anyway.

@keszybz keszybz added good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed and removed reviewed/needs-rework 🔨 PR has been reviewed and needs another round of reworks labels Jun 5, 2020
@DaanDeMeyer
Copy link
Contributor

CI failure seems unrelated.

@DaanDeMeyer DaanDeMeyer merged commit a742f98 into systemd:master Jun 6, 2020
@YmrDtnJu YmrDtnJu deleted the glibc_dnssec branch June 6, 2020 09:45
@johanfleury johanfleury mentioned this pull request Jul 15, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
good-to-merge/waiting-for-ci 👍 PR is good to merge, but CI hasn't passed at time of review. Please merge if you see CI has passed resolve
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@YmrDtnJu @keszybz @DaanDeMeyer