← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #04409

[Bug 2117730] Re: Enable (opportunistic) DNSSEC

  Thread PreviousDate PreviousThread Next 
** Merge proposal unlinked:
   https://code.launchpad.net/~slyon/ubuntu/+source/systemd/+git/systemd/+merge/489533

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/2117730

Title:
  Enable (opportunistic) DNSSEC

Status in bind9 package in Ubuntu:
  New
Status in dnsmasq package in Ubuntu:
  New
Status in systemd package in Ubuntu:
  Incomplete

Bug description:
  DNSSEC is an established DNS extension that allows to
  cryptographically sign & validate DNS records. It can be enabled in
  “auto” (fallback) mode, which does not enforce signed records, but
  uses them whenever possible. We should enable that “fallback” mode by
  default in Ubuntu and provide means to enforce DNSSEC, too.

  
  It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”:

  * https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894
  * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996

  While upstream systemd recommends the usage of `default-dnssec=allow-
  downgrade`.

  
  Some specific issues observed in the past:
  - bug #1628778
  - bug #1682499
  - bug #1690605
  - bug #1857639

  
  Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2117730/+subscriptions

References

  Thread PreviousDate PreviousThread Next