[Bug 1796501] Re: systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Dimitri John Ledkov
launchpad at surgut.co.uk
Fri Sep 20 09:41:59 UTC 2019
@bryanquigley are you going to SRU that?
And please just that alone?
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
systemd-resolved tries to mitigate DVE-2018-0001 even if DNSSEC=yes
Status in systemd package in Ubuntu:
Status in systemd source package in Bionic:
Status in systemd source package in Cosmic:
Status in systemd source package in Disco:
I ask systemd-resolved through dig to resolve the SOA of test.asdf. (doesn't exist) but it returns SERVFAIL instead of NXDOMAIN. It seems to do the following steps:
1. Ask upstream for SOA of test.asdf. with EDNS0, DO-bit and 4k size.
2. Ask upstream for SOA of test.asdf. with EDNS0 and DO-bit.
3. Ask upstream for SOA of test.asdf. with EDNS0.
4. Ask upstream for SOA of test.asdf. without EDNS0.
5. Repeat 1-4 for DS of test.asdf.
6. Repeat 1-5 for asdf.
7. Ask upstream for SOA of . with EDNS0, DO-bit and 4k size.
8. Ask upstream for DNSKEY of . with EDNS0, DO-bit and 4k size.
The upstream returns an unfragmented NXDOMAIN response for steps 1-6,
an unfragmented NOERROR response for step 7 and a fragmented NOERROR
response for step 8 which is the correct behaviour. DNSSEC records are
included in the response if the DO-bit in the request was set.
systemd-resolved should take the response from step 1 and start with
validation instead of starting useless retries with reduced feture
set. Step 3 and 4 are completely useless and probably lead to the
SERVFAIL because I have configured it with DNSSEC=yes to prevent
This regression seems to be caused by the patch resolved-Mitigate-
DVE-2018-0001-by-retrying-NXDOMAIN-with.patch. The downgrade logic
should only be executed if it is configured as DNSSEC=allow-downgrade
or DNSSEC=no. See also
To manage notifications about this bug go to:
More information about the Ubuntu-sponsors