Marc Deslauriers [2016-06-16 12:06 +0300]: > Both of those security issues are resolved by adding an option to disable > caching.
I landed this upstream yesterday: https://github.com/systemd/systemd/pull/3592 I also pulled it into the Debian packaging git, so the next Ubuntu sync will get this. > The remaining question is whether or not to disable caching by default. > > Both issues are pretty low-severity. I believe turning on caching will improve > the user experience, so I'm slightly conflicted on what the default should be. Yeah, me too. The upstream default continues to be "on", but we of course have the choice to change this downstream. After the discussion my gut feeling is still that the advantages of caching outweigh the downsides, but at this point this is not really a technical argument any more but a subjective one. > If the option to turn it off on multiuser systems is easy, I believe I'm > leaning > toward leaving caching on by default. Other operating systems apparently > enable > system-wide DNS caching by default, and administrators of multiuser systems > can > easily turn it off it's a concern to them. We have the possibility of doing it on a per-package or per-image basis, by shipping a /lib/systemd/resolved.conf.d/nocache.conf. Or of course changing the default in the package. > For touch and confined applications, if this turns out to be a privacy concern > for our users, we can either turn off caching by default for the touch > devices, > or we can disable caching only for confined applications by adding some sort > of > AppArmor integration. I'm not sure how AppArmor or MAC in general could influence this. The only way "around" this would be to change nsswitch.conf for that particular process to not use "resolve" at all, but direct queries of the upstream DNS servers, but this would again break link specific DNS servers. So realistically this appears to me as a system-global decision. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel