debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #04402
[Bug 2117730] [NEW] Enable (opportunistic) DNSSEC
Public bug reported:
DNSSEC is an established DNS extension that allows to cryptographically
sign & validate DNS records. It can be enabled in “auto” (fallback)
mode, which does not enforce signed records, but uses them whenever
possible. We should enable that “fallback” mode by default in Ubuntu and
provide means to enforce DNSSEC, too.
It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”:
* https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996
While upstream systemd recommends the usage of `default-dnssec=allow-
downgrade`.
Some specific issues observed in the past:
- bug #1628778
- bug #1682499
- bug #1690605
- bug #1857639
Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags.
** Affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Affects: dnsmasq (Ubuntu)
Importance: Undecided
Status: New
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Also affects: bind9 (Ubuntu)
Importance: Undecided
Status: New
** Also affects: dnsmasq (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2117730
Title:
Enable (opportunistic) DNSSEC
Status in bind9 package in Ubuntu:
New
Status in dnsmasq package in Ubuntu:
New
Status in systemd package in Ubuntu:
New
Bug description:
DNSSEC is an established DNS extension that allows to
cryptographically sign & validate DNS records. It can be enabled in
“auto” (fallback) mode, which does not enforce signed records, but
uses them whenever possible. We should enable that “fallback” mode by
default in Ubuntu and provide means to enforce DNSSEC, too.
It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”:
* https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996
While upstream systemd recommends the usage of `default-dnssec=allow-
downgrade`.
Some specific issues observed in the past:
- bug #1628778
- bug #1682499
- bug #1690605
- bug #1857639
Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2117730/+subscriptions
Follow ups
