On Mon, 2020-09-28 at 16:59 +0000, Zbigniew Jędrzejewski-Szmek wrote:
On Mon, Sep 28, 2020 at 06:36:02PM +0200, Florian Weimer wrote:
> * Andrew Lutomirski:
>
> > Paul may well have been mixing different things here, but I don't
> > think you answered the one that seems like the most severe problem:
> > systemd-resolved removed perfectly valid DNSSEC records that were
> > supplied by the upstream server. One might reasonably debate whether
> > Fedora's default DNS resolver configuration should validate DNSSEC,
> > but I think it should honor the DO bit in client requests and return
> > DNSSEC data.
>
> FWIW, this is <
https://bugzilla.redhat.com/show_bug.cgi?id=1879028>.
In an ideal world, we would just implement this missing functionality.
It's definitely on the TODO list, and there has been some preparatory
work done, but so far nobody found the time. If this is judged necessary,
we'll raise the priority of that work. Nevertheless, I don't think it is
such high priority — the number of people using DNSSEC is not too large,
and they are generally power-users who understand how to specify a different
server. So while definitely annoying, I didn't consider this a deal-breaker.
Zbyszek
Sorry Zbyszek,
but as other said, a *default* resolver that break the standard is
definitely a problem.
As non-default, systemd-resolved may decide to break anything it wants,
but once you decide you want to be the default in a system, then
standard compliance becomes paramount.
Of course systemd-resolved can deviate *optionally*, but the default
needs to be compliant, which means returning all records the client
requests, and resolving all names as the standard requires, and
supporting all record types, etc..
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc