This bug was fixed in the package systemd - 231-9git1
---------------
systemd (231-9git1) yakkety; urgency=medium
* systemctl: Add --wait option to wait until started units terminate again.
This is a prerequisite for using systemd for graphical sessions without
ugly polling.
* nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors.
This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns".
* libnss-resolve.postinst: Skip dns fallback if resolve is present.
Only fall back to "dns" if nss-resolve is not installed (for the
architecture of the calling program). Once it is, we never want to fall
back to "dns" as that breaks enforcing DNSSEC verification and also
pointlessly retries NXDOMAIN failures. (LP: #1624071)
-- Martin Pitt <martin.p...@ubuntu.com> Sun, 02 Oct 2016 10:33:11
+0200
** Changed in: systemd (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1624071
Title:
libnss-resolve: Fallback from resolve to dns breaks DNSSEC validation
Status in systemd:
Unknown
Status in systemd package in Ubuntu:
Fix Released
Bug description:
The libnss-resolve postinst script inserts ‘resolve’ before ‘dns’ in
the hosts line of /etc/nsswitch.conf. This makes DNSSEC validation
impossible, even with DNSSEC=yes in /etc/systemd/resolved.conf,
because if libnss_resolve returns a validation failure, glibc will
simply fall back to libnss_dns. It also makes NXDOMAIN lookups twice
as slow.
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1624071/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
