[Bug 1796501] Re: systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Bryan Quigley
bryan.quigley at canonical.com
Fri Sep 20 15:23:45 UTC 2019
Yes, if we can get it into dev, I'd happily make debdiffs to SRU it to
bionic/disco.
>And please just that alone?
Yes, just updating the patch to your latest version. I'm ok if it needs to be queued up for SRU with other systemd changes if that's what you are getting at.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1796501
Title:
systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Status in systemd package in Ubuntu:
In Progress
Status in systemd source package in Bionic:
In Progress
Status in systemd source package in Cosmic:
Won't Fix
Status in systemd source package in Disco:
In Progress
Bug description:
I ask systemd-resolved through dig to resolve the SOA of test.asdf. (doesn't exist) but it returns SERVFAIL instead of NXDOMAIN. It seems to do the following steps:
1. Ask upstream for SOA of test.asdf. with EDNS0, DO-bit and 4k size.
2. Ask upstream for SOA of test.asdf. with EDNS0 and DO-bit.
3. Ask upstream for SOA of test.asdf. with EDNS0.
4. Ask upstream for SOA of test.asdf. without EDNS0.
5. Repeat 1-4 for DS of test.asdf.
6. Repeat 1-5 for asdf.
7. Ask upstream for SOA of . with EDNS0, DO-bit and 4k size.
8. Ask upstream for DNSKEY of . with EDNS0, DO-bit and 4k size.
The upstream returns an unfragmented NXDOMAIN response for steps 1-6,
an unfragmented NOERROR response for step 7 and a fragmented NOERROR
response for step 8 which is the correct behaviour. DNSSEC records are
included in the response if the DO-bit in the request was set.
systemd-resolved should take the response from step 1 and start with
validation instead of starting useless retries with reduced feture
set. Step 3 and 4 are completely useless and probably lead to the
SERVFAIL because I have configured it with DNSSEC=yes to prevent
downgrade attacks.
This regression seems to be caused by the patch resolved-Mitigate-
DVE-2018-0001-by-retrying-NXDOMAIN-with.patch. The downgrade logic
should only be executed if it is configured as DNSSEC=allow-downgrade
or DNSSEC=no. See also
https://github.com/systemd/systemd/pull/8608#issuecomment-396927885.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796501/+subscriptions
More information about the foundations-bugs
mailing list