Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
An update: Now it would make sense to be able to add a DO-bit, via /etc/resolv.conf: https://developers.google.com/speed/public-dns/faq#dnssec It would also be interesting if the AD-bit could be set, in accordance with http://tools.ietf.org/html/rfc6840#section-5.7 Some good inspiration can be found on this ancient page: http://bd.hauke-lampe.de/dnssec/adding-res_use_dnssec-to-glibc.html I am very much in favor for these enhancements. -- Marco -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
* Matthew Grant: From my investigations this can only be enabled by recompiling each bit of software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c This does not actually activate DNSSEC, it just tells the recursive resolver that the application is able to process DNSSEC records. The application would still have to validate them. Applications should never need to set the RES_USE_DNSSEC flag because it does not make sense to treat DNSSEC-signed data differently from unsigned data. Please create a resolv.conf flag so that RES_USE_DNSSEC is available to the systems administrator, and maybe a debconf screen to select it. This alone wouldn't make any difference to the spoofing problem. libc is not the correct place to put DNSSEC validation because many processes are shortlived and would have to fetch all key material and signatures from DNS, beginning at the root. This would turn a single name resolution into six or more DNS queries, which is excessive. At this stage, you should run a BIND or Unbound process restricted to localhost which performs the validation. This validation will happen even for applications which do not set the RES_USE_DNSSEC flag. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
Package: libc6 Version: 2.13-34 Severity: Serious Tags: security Hi! I am submitting this report as there seems to be no easy way to get DNSSEC validation happening for all DNS lookups. This is a litmus test to make sure we cover this matter, or see if we have an easy procedure in wheezy to enable client DNSSEC validation. With the DNS root zone now signed, and .org and .net, and many soon to be done country specific TLDs, there does not appear to be any easy way of taking advantage of this in wheezy or sid. From my investigations this can only be enabled by recompiling each bit of software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c Please create a resolv.conf flag so that RES_USE_DNSSEC is available to the systems administrator, and maybe a debconf screen to select it. This is about proactively avoiding DNS spoofing and securing against it. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-34 ii libgcc1 1:4.7.1-2 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.44 ii glibc-doc 2.13-34 ii locales2.13-34 -- debconf information: glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: glibc/restart-services: libraries/restart-without-asking: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org