[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Changed in: systemd Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Fix Released Status in systemd package in Ubuntu: Fix Released Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Calin: see https://bugs.launchpad.net/ubuntu/+source/nss- mdns/+bug/1641328 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Fix Released Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Calin: This sounds like something entirely unrelated. Can you please file a new bug? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Fix Released Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Glad to see this has been reported. On my system, I can no longer get to any local nodes by referring to the hostname, so it is pretty clear that hostname resolution is not working. I was able to circumvent the behavior for only 1 Linux machine by specifying nodename.local, but that doesn't work with my NAS device. So, I'm kinda stuck... I think this package is currently in yakkety-proposed (sorry, I still haven't learned how to be able to tell where a "fix" was released and in what repository it is currently in). Any idea when this will be released to yakkety-updates ? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Fix Released Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
This bug was fixed in the package systemd - 231-9git1 --- systemd (231-9git1) yakkety; urgency=medium * systemctl: Add --wait option to wait until started units terminate again. This is a prerequisite for using systemd for graphical sessions without ugly polling. * nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". * libnss-resolve.postinst: Skip dns fallback if resolve is present. Only fall back to "dns" if nss-resolve is not installed (for the architecture of the calling program). Once it is, we never want to fall back to "dns" as that breaks enforcing DNSSEC verification and also pointlessly retries NXDOMAIN failures. (LP: #1624071) -- Martin Pitt Sun, 02 Oct 2016 10:33:11 +0200 ** Changed in: systemd (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Fix Released Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Changed in: systemd (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Fix Committed Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Changed in: systemd (Ubuntu) Status: Triaged => In Progress ** Changed in: systemd (Ubuntu) Milestone: ubuntu-16.11 => ubuntu-16.10 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: In Progress Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Changed in: systemd (Ubuntu) Milestone: ubuntu-16.10 => ubuntu-16.11 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Upstream PR sent with a possible fix: https://github.com/systemd/systemd/pull/4164 With that "resolve [!UNAVAIL=return] dns" does the right thing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Also affects: systemd via https://github.com/systemd/systemd/issues/4157 Importance: Unknown Status: Unknown ** Changed in: systemd (Ubuntu) Assignee: (unassigned) => Martin Pitt (pitti) ** Changed in: systemd (Ubuntu) Importance: Undecided => Medium ** Changed in: systemd (Ubuntu) Milestone: None => ubuntu-16.10 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd: Unknown Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Filed https://github.com/systemd/systemd/issues/4157 upstream for the NOTFOUND vs. UNAVAIL problem. ** Bug watch added: github.com/systemd/systemd/issues #4157 https://github.com/systemd/systemd/issues/4157 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
** Description changed: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. - - The following syntax would preserve the fallback in the case that - systemd-resolved is not running at all, but allow systemd-resolved to - fail lookups that should fail when it is running: - - hosts: files resolve [!TRYAGAIN=return] dns -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
You’re right: glibc seems to treat the absence of libnss-resolve itself as UNAVAIL, which is the same code returned on DNSSEC validation failures when libnss-resolve is working. I don’t see a way around this other than patching libnss-resolve to return NOTFOUND (or TRYAGAIN?) on validation failure. It looks like there may be other ways for an active attacker to force a TRYAGAIN code (with a response that doesn’t fit in the caller-provided buffer), which suggests that the right configuration is [!UNAVAIL=return], not merely [NOTFOUND=return]. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. The following syntax would preserve the fallback in the case that systemd-resolved is not running at all, but allow systemd-resolved to fail lookups that should fail when it is running: hosts: files resolve [!TRYAGAIN=return] dns To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Thanks for reporting this, well spotted! The reason for having "dns" is *not* to guard against failures of resolved -- if the daemon is not running, then nss-resolve already falls back to glibc's resolver (i. e. "dns"). The reason is that libnss-resolve itself might not be available. E. g. you might have the amd64 version installed that inserts itself into nsswitch. But then you start a 32 bit package from an i386 deb which needs libnss-resolve:i386 and that might not be installed. That needs "dns" otherwise you get a "System error" when resolving. I actually thought that "resolve [NOTFOUND=return] dns" should do the right thing, as that's the crucial case -- its default action is "continue", and if a DNS entry fails validation we don't want to fall back to "dns". The actions for success/unavail/tryagain already seem right. But this doesn't work, "ping sigfail.verteiltesysteme.net" still succeeds and falls back to dns. So I'm not sure how to solve this. Ideally we would have a syntax which would ignore the absence of the "resolve" NSS module but accept if that says "not found". Or we need to ensure that for any :arch package the corresponding libnss-resolve:arch is installed. ** Changed in: systemd (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd package in Ubuntu: Triaged Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. The following syntax would preserve the fallback in the case that systemd-resolved is not running at all, but allow systemd-resolved to fail lookups that should fail when it is running: hosts: files resolve [!TRYAGAIN=return] dns To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1624071] Re: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
I also worry that, by masking systemd-resolved failures, this fallback has meant that systemd-resolved is not really getting adequate testing. If there were widespread problems causing systemd-resolved lookups to fail, would anyone have noticed? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1624071 Title: libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation Status in systemd package in Ubuntu: New Bug description: The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf, because if libnss_resolve returns a validation failure, glibc will simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice as slow. The following syntax would preserve the fallback in the case that systemd-resolved is not running at all, but allow systemd-resolved to fail lookups that should fail when it is running: hosts: files resolve [!TRYAGAIN=return] dns To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1624071/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
