[Bug 1857639] Re: DNS server capability detection is broken and has critical consequences when DNSSEC is enabled
Dan Streetman
ddstreet at canonical.com
Tue Jan 7 16:53:45 UTC 2020
Can you post logs from when the capability mis-detection happens? What
indication do you have that is what's happening? How do you have DNSSEC
configured?
** Changed in: systemd (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1857639
Title:
DNS server capability detection is broken and has critical
consequences when DNSSEC is enabled
Status in systemd:
New
Status in systemd package in Ubuntu:
Incomplete
Bug description:
I'm running Ubuntu 19.10
I'm on latest version available from repositories, systemd 242
I'm expecting upstream DNS server capabilities being detected
correctly and DNSSEC to keep working. Alternatively I'd expect a
method of disabling capability checks instead of DNSSEC.
Currently instead resolved misdetect features suddenly, stops
resolving all together (fails closed, which is somewhat good).
Capability reset is a very temporary fix.
A suggested fix could be (ordered based on how nice of a solution it
is):
a. The capability detection is fixed
(https://github.com/systemd/systemd/issues/9384)
b. Force-disabling capability detection exists (this is what I also
requested here: https://github.com/systemd/systemd/issues/14435)
c. Patch Ubuntu version not to allow such a foot gun, update
documentation (this is theoretically what Ubuntu could do meanwhile)
d. Remove DNSSEC from resolved
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1857639/+subscriptions
More information about the foundations-bugs
mailing list