Thanks for the report; it's my understanding that "real" DNSSEC deployments at sites that care will do all the DNSSEC enforcement with a local recursor because the application APIs are immature / underspecified / etc.
Such centralization also makes it far easier for the DNS operations team to work around misconfigured DNSSEC systems in the wild by setting Negative Trust Anchors on portions of the DNS tree (as described at https://doc.powerdns.com/recursor/dnssec.html#negative-trust-anchors ) when necessary. Thanks ** Changed in: systemd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2027797 Title: systemd-resolved DNSSEC implementation does not protect against cache poisoning Status in systemd package in Ubuntu: Confirmed Bug description: Steps required are at upstream issue https://github.com/systemd/systemd/issues/25676 Unfortunately it has been reported publicly for 3 years in https://github.com/systemd/systemd/issues/15158, so no embargo makes sense To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2027797/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
