Package: systemd
Version: 247.3-5
Dear Maintainer,
Queries made via the systemd-resolved stub resolver do not have the
RRSIG response returned through the stub, breaking the chain of trust
and preventing applications, such as network diagnostic tools, from
validating DNSSEC signatures themselves.
This is evident in the response from delv when using the stub, but I
include the same request against an external server for completeness:
$ delv debian.org
;; no valid RRSIG resolving 'org/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'debian.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain
$ delv @9.9.9.9 debian.org
; fully validated
debian.org. 272 IN A 128.31.0.62
debian.org. 272 IN A 130.89.148.77
debian.org. 272 IN A 149.20.4.15
debian.org. 272 IN RRSIG A 8 2 300 20210608052940 20210429052640 29400
debian.org. uGq/M6eLdmXBdh9muHTx3QzJxDfybZCCXvNGPsGJtYi8sR10yThgyoKN
87UpPEDyP5NbNrPEAjyaC/H2vkPsUUC+wypW3aoSSFt4CoJxVXa/arpE
POXqokKZ8l/YFWU68tejC5dvgqp2CeJkEfceUb6Nh9Y5F9U2zjQrjDxj
+SwVJD+kJjF+A88kZ/Cr+oFdkuWq/N/06Hxhx6c+mIoD2OZuV5lc0Zg3
U6ah8LAym+XRdqcj4zcom5lXszhqzhYs
Less dramatic with dig +dnssec in the omission of the RRSIG answer in
the stub response:
$ dig +dnssec debian.org
; <<>> DiG 9.16.13-Debian <<>> +dnssec debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16243
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 91 IN A 149.20.4.15
debian.org. 91 IN A 130.89.148.77
debian.org. 91 IN A 128.31.0.62
;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed May 05 19:50:19 BST 2021
;; MSG SIZE rcvd: 87
$ dig @9.9.9.9 +dnssec debian.org
; <<>> DiG 9.16.13-Debian <<>> @9.9.9.9 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35061
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;debian.org. IN A
;; ANSWER SECTION:
debian.org. 300 IN A 128.31.0.62
debian.org. 300 IN A 130.89.148.77
debian.org. 300 IN A 149.20.4.15
debian.org. 300 IN RRSIG A 8 2 300 20210608052940 20210429052640 29400
debian.org. uGq/M6eLdmXBdh9muHTx3QzJxDfybZCCXvNGPsGJtYi8sR10yThgyoKN
87UpPEDyP5NbNrPEAjyaC/H2vkPsUUC+wypW3aoSSFt4CoJxVXa/arpE
POXqokKZ8l/YFWU68tejC5dvgqp2CeJkEfceUb6Nh9Y5F9U2zjQrjDxj
+SwVJD+kJjF+A88kZ/Cr+oFdkuWq/N/06Hxhx6c+mIoD2OZuV5lc0Zg3
U6ah8LAym+XRdqcj4zcom5lXszhqzhYs
;; Query time: 15 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed May 05 19:50:44 BST 2021
;; MSG SIZE rcvd: 321
I've found a series of issues [1, 2] had already been opened upstream
for this along with a related issue concerning a (possibly) incorrect
return type [3]. Fixes for all have been committed in the v248 tag
[4-6], but it should be noted that the bulk of the fix [4] is fairly
substantial, so I'm not sure whether there is any appetite to patch
bullseye post-release.
Cheers,
Phil
[1] https://github.com/systemd/systemd/issues/4621
[2] https://github.com/systemd/systemd/issues/18714
[3] https://github.com/systemd/systemd/issues/17218
[4]
https://github.com/systemd/systemd/commit/775ae35403f8f3c01b7ac13387fe8aac1759993f
[5]
https://github.com/systemd/systemd/commit/048e04337571c8ac68a12fcb02a82db58bab22ca
[6]
https://github.com/systemd/systemd/commit/30ee7071703226bf84e69f983ad1c08283e4b891
-- Package-specific info:
-- System Information:
Debian Release: bullseye/sid
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd depends on:
ii adduser 3.118
ii libacl1 2.2.53-10
ii libapparmor1 2.13.6-10
ii libaudit1 1:3.0-2
ii libblkid1 2.36.1-7
ii libc6 2.31-11
ii libcap2 1:2.44-1
ii libcrypt1 1:4.4.18-2
ii libcryptsetup12 2:2.3.5-1
ii libgcrypt20 1.8.7-3
ii libgnutls30 3.7.1-3
ii libgpg-error0 1.38-2
ii libip4tc2 1.8.7-1
ii libkmod2 28-1
ii liblz4-1 1.9.3-1
ii liblzma5 5.2.5-2
ii libmount1 2.36.1-7
ii libpam0g 1.4.0-7
ii libseccomp2 2.5.1-1
ii libselinux1 3.1-3
ii libsystemd0 247.3-5
ii libzstd1 1.4.8+dfsg-2.1
ii mount 2.36.1-7
ii systemd-timesyncd [time-daemon] 247.3-5
ii util-linux 2.36.1-7
Versions of packages systemd recommends:
ii dbus 1.12.20-2
Versions of packages systemd suggests:
ii policykit-1 0.105-30
pn systemd-container <none>
Versions of packages systemd is related to:
pn dracut <none>
ii initramfs-tools 0.140
ii libnss-systemd 247.3-5
ii libpam-systemd 247.3-5
ii udev 247.3-5
-- no debconf information
