Package: systemd-resolved
Version: 252.5-2
Severity: important
systemd-resolved now replaces /etc/resolv.conf to point to the stub
resolver. This resolver is not equivalent to the existing external one
in terms of DNSSEC check.
The resolv.conf now includes "trust-ad", however the stub resolver does
not provide the AD bit:
| % drill debian.org -D @fd67:11d:a2ed::1
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 39405
| ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
| % drill debian.org -D
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 65401
| ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
Only if I manually enable DNSSEC in /etc/systemd/resolved.conf with
DNSSEC=(allow-downgrade|yes), is the AD bit properly provided:
| % drill debian.org -D
| ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60556
| ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
This means using the upstream resolver or the stub resolver is _not_
equivalent in the default config provided by Debian.
Software that acts on the authentication info, like Postfix or openssh,
suddenly loose that capability.
Bastian
--
Witch! Witch! They'll burn ya!
-- Hag, "Tomorrow is Yesterday", stardate unknown
