Bug#834453: systemd-resolved: Please add d.f.ip6.arpa to the DNSSEC default negative trust anchors

Fabian Pietsch fabian-debian at canvon.de
Mon Aug 15 21:52:29 BST 2016 

Package: systemd
Version: 230-7
Severity: wishlist

Hi,

dnssec-trust-anchors.d(5) says: "Negative trust anchors are useful to
support private DNS subtrees that are not referenced from the Internet
DNS hierarchy, and not signed."

"If no negative trust anchor files are configured a built-in set of
well-known private DNS zone domains is used as negative trust anchors."


The DNSSEC default negative trust anchors for systemd-resolved seem to
be defined in [1]. There are reverse DNS domains for the RFC 1918
address space (10.0.0.0/8, 192.168.0.0/16 etc.) listed, but not for
IPv6 Unique Local addresses [2], the equivalent for IPv6.

That means that, when systemd-resolved's DNSSEC support is enabled,
site-locally defined reverse DNS for IPv4 private addresses will resolve
with systemd-resolved out-of-the-box, while site-locally defined reverse
DNS for IPv6 Unique Local addresses will not. It has to be configured
as a DNSSEC negative trust anchor, first, which also makes it necessary
to configure the systemd-resolved default negative anchors explicitly,
too. (This happens as *.negative files in /etc/dnssec-trust-anchors.d/ )


The current defaults give RFC 6761 as reason for inclusion, but that
does not seem to talk about DNSSEC. And the reason given in [1]
simply is:

  "RFC 6761 says that these reverse IP lookup ranges are for
  private addresses, and hence should not show up in the root zone"

The same can be claimed for d.f.ip6.arpa via RFC 4193 [2]:

  "Reverse (address-to-name) queries for locally assigned IPv6 Local
  addresses MUST NOT be sent to name servers for the global DNS, [...]."

  "The recommended way to avoid sending such queries to nameservers for
  the global DNS is for recursive name server implementations to act as
  if they were authoritative for an empty d.f.ip6.arpa zone and return
  RCODE 3 for any such query. [...] if the site administrator has not
  set up the reverse tree corresponding to the locally assigned IPv6
  Local addresses in use, returning RCODE 3 is in fact the correct
  answer."

So if the site administrator has set up the reverse tree for the IPv6
Unique Local addresses in use, there would be no trust path from the
root zone, so to use the set up data, a negative trust anchor is
necessary. It should qualify as a "private DNS subtree[] that [is]
not referenced from the Internet DNS hierarchy, and not signed",
as quoted in the beginning of this report.

IPv6 Unique Local addresses reverse DNS should also qualify as a
"well-known private DNS zone domain[]". So please include d.f.ip6.arpa
in the list of default negative trust anchors.

Regards,
Fabian


[1] https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/src/resolve/resolved-dns-trust-anchor.c#n101

[2] RFC 4193 "Unique Local IPv6 Unicast Addresses", e.g.,
    https://tools.ietf.org/html/rfc4193


-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.5.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3
ii  libapparmor1    2.10.95-4
ii  libaudit1       1:2.6.5-1
ii  libblkid1       2.28-6
ii  libc6           2.23-4
ii  libcap2         1:2.25-1
ii  libcap2-bin     1:2.25-1
ii  libcryptsetup4  2:1.7.0-2
ii  libgcrypt20     1.7.2-2
ii  libgpg-error0   1.24-1
ii  libidn11        1.33-1
ii  libkmod2        22-1.1
ii  liblzma5        5.1.1alpha+20120614-2.1
ii  libmount1       2.28-6
ii  libpam0g        1.1.8-3.3
ii  libseccomp2     2.3.1-2
ii  libselinux1     2.5-3
ii  libsystemd0     230-7
ii  mount           2.28-6
ii  util-linux      2.28-6

Versions of packages systemd recommends:
ii  dbus            1.10.8-1
ii  libpam-systemd  230-7

Versions of packages systemd suggests:
ii  policykit-1        0.105-16
ii  systemd-container  230-7
pn  systemd-ui         <none>

Versions of packages systemd is related to:
ii  udev  230-7

-- Configuration Files:
/etc/systemd/system.conf changed [not included]

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list