Bug#988132: systemd-resolved stub resolver does not pass RRSIG data for applications to answer DNSSEC queries

Philip Stewart philip.stewart.public at gmail.com
Thu May 6 11:29:20 BST 2021 

Package: systemd
Version: 247.3-5

Dear Maintainer,

Queries made via the systemd-resolved stub resolver do not have the 
RRSIG response returned through the stub, breaking the chain of trust 
and preventing applications, such as network diagnostic tools, from 
validating DNSSEC signatures themselves.

This is evident in the response from delv when using the stub, but I 
include the same request against an external server for completeness:

$ delv debian.org
;; no valid RRSIG resolving 'org/DS/IN': 127.0.0.53#53
;; broken trust chain resolving 'debian.org/A/IN': 127.0.0.53#53
;; resolution failed: broken trust chain


$ delv @9.9.9.9 debian.org
; fully validated
debian.org.		272	IN	A	128.31.0.62
debian.org.		272	IN	A	130.89.148.77
debian.org.		272	IN	A	149.20.4.15
debian.org.		272	IN	RRSIG	A 8 2 300 20210608052940 20210429052640 29400 
debian.org. uGq/M6eLdmXBdh9muHTx3QzJxDfybZCCXvNGPsGJtYi8sR10yThgyoKN 
87UpPEDyP5NbNrPEAjyaC/H2vkPsUUC+wypW3aoSSFt4CoJxVXa/arpE 
POXqokKZ8l/YFWU68tejC5dvgqp2CeJkEfceUb6Nh9Y5F9U2zjQrjDxj 
+SwVJD+kJjF+A88kZ/Cr+oFdkuWq/N/06Hxhx6c+mIoD2OZuV5lc0Zg3 
U6ah8LAym+XRdqcj4zcom5lXszhqzhYs


Less dramatic with dig +dnssec in the omission of the RRSIG answer in 
the stub response:

$ dig +dnssec debian.org

; <<>> DiG 9.16.13-Debian <<>> +dnssec debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16243
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 65494
;; QUESTION SECTION:
;debian.org.			IN	A

;; ANSWER SECTION:
debian.org.		91	IN	A	149.20.4.15
debian.org.		91	IN	A	130.89.148.77
debian.org.		91	IN	A	128.31.0.62

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed May 05 19:50:19 BST 2021
;; MSG SIZE  rcvd: 87


$ dig @9.9.9.9 +dnssec debian.org

; <<>> DiG 9.16.13-Debian <<>> @9.9.9.9 +dnssec debian.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35061
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;debian.org.			IN	A

;; ANSWER SECTION:
debian.org.		300	IN	A	128.31.0.62
debian.org.		300	IN	A	130.89.148.77
debian.org.		300	IN	A	149.20.4.15
debian.org.		300	IN	RRSIG	A 8 2 300 20210608052940 20210429052640 29400 
debian.org. uGq/M6eLdmXBdh9muHTx3QzJxDfybZCCXvNGPsGJtYi8sR10yThgyoKN 
87UpPEDyP5NbNrPEAjyaC/H2vkPsUUC+wypW3aoSSFt4CoJxVXa/arpE 
POXqokKZ8l/YFWU68tejC5dvgqp2CeJkEfceUb6Nh9Y5F9U2zjQrjDxj 
+SwVJD+kJjF+A88kZ/Cr+oFdkuWq/N/06Hxhx6c+mIoD2OZuV5lc0Zg3 
U6ah8LAym+XRdqcj4zcom5lXszhqzhYs

;; Query time: 15 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Wed May 05 19:50:44 BST 2021
;; MSG SIZE  rcvd: 321


I've found a series of issues [1, 2] had already been opened upstream 
for this along with a related issue concerning a (possibly) incorrect 
return type [3]. Fixes for all have been committed in the v248 tag 
[4-6], but it should be noted that the bulk of the fix [4] is fairly 
substantial, so I'm not sure whether there is any appetite to patch 
bullseye post-release.

Cheers,
Phil


[1] https://github.com/systemd/systemd/issues/4621
[2] https://github.com/systemd/systemd/issues/18714
[3] https://github.com/systemd/systemd/issues/17218
[4] 
https://github.com/systemd/systemd/commit/775ae35403f8f3c01b7ac13387fe8aac1759993f
[5] 
https://github.com/systemd/systemd/commit/048e04337571c8ac68a12fcb02a82db58bab22ca
[6] 
https://github.com/systemd/systemd/commit/30ee7071703226bf84e69f983ad1c08283e4b891

-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser                          3.118
ii  libacl1                          2.2.53-10
ii  libapparmor1                     2.13.6-10
ii  libaudit1                        1:3.0-2
ii  libblkid1                        2.36.1-7
ii  libc6                            2.31-11
ii  libcap2                          1:2.44-1
ii  libcrypt1                        1:4.4.18-2
ii  libcryptsetup12                  2:2.3.5-1
ii  libgcrypt20                      1.8.7-3
ii  libgnutls30                      3.7.1-3
ii  libgpg-error0                    1.38-2
ii  libip4tc2                        1.8.7-1
ii  libkmod2                         28-1
ii  liblz4-1                         1.9.3-1
ii  liblzma5                         5.2.5-2
ii  libmount1                        2.36.1-7
ii  libpam0g                         1.4.0-7
ii  libseccomp2                      2.5.1-1
ii  libselinux1                      3.1-3
ii  libsystemd0                      247.3-5
ii  libzstd1                         1.4.8+dfsg-2.1
ii  mount                            2.36.1-7
ii  systemd-timesyncd [time-daemon]  247.3-5
ii  util-linux                       2.36.1-7

Versions of packages systemd recommends:
ii  dbus  1.12.20-2

Versions of packages systemd suggests:
ii  policykit-1        0.105-30
pn  systemd-container  <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.140
ii  libnss-systemd   247.3-5
ii  libpam-systemd   247.3-5
ii  udev             247.3-5

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list