Bug#787731: adds google nameserver without being asked to
Am 10.06.2015 um 11:37 schrieb Michael Biebl: Am 09.06.2015 um 13:14 schrieb Marc Haber: On Sat, Jun 06, 2015 at 09:42:37PM +0200, Michael Biebl wrote: This change is imho too invasive for being backported to the stable v215 in jessie. The first Debian version carrying that fix is 217-1, so I'm closing it for this version. How about shipping a /etc/systemd/resolved.conf with a not commented out DNS= line? Compiling with ---with-dns-servers= is better. It doesn't require us to patch the conf file, it also changes the builtin list, and the resulting resolved.conf will actually look pretty similar: [Resolve] #DNS= I committed this change now for the jessie branch: https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=jessieid=fc04df5fc3adedb990318a34d69a261521d4d57d So this change will be part of the next stable upload. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#787731: adds google nameserver without being asked to
Am 09.06.2015 um 13:14 schrieb Marc Haber: On Sat, Jun 06, 2015 at 09:42:37PM +0200, Michael Biebl wrote: This change is imho too invasive for being backported to the stable v215 in jessie. The first Debian version carrying that fix is 217-1, so I'm closing it for this version. How about shipping a /etc/systemd/resolved.conf with a not commented out DNS= line? Compiling with ---with-dns-servers= is better. It doesn't require us to patch the conf file, it also changes the builtin list, and the resulting resolved.conf will actually look pretty similar: [Resolve] #DNS= -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#787731: adds google nameserver without being asked to
On Sat, Jun 06, 2015 at 09:42:37PM +0200, Michael Biebl wrote: This change is imho too invasive for being backported to the stable v215 in jessie. The first Debian version carrying that fix is 217-1, so I'm closing it for this version. How about shipping a /etc/systemd/resolved.conf with a not commented out DNS= line? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things.Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#787731: adds google nameserver without being asked to
On Thu, Jun 04, 2015 at 06:05:04PM +0200, Christoph Anton Mitterer wrote: Anyway, can we merge the issues? Objected. #787731 is a real bug. Just mentioning that the default is a bad default does not make it the same issue. The issue here ist that a default is used while the local admin did what the docs said to avoid defaults from being used. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things.Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#787731: adds google nameserver without being asked to
Hi Am 04.06.2015 um 16:02 schrieb Marc Haber: The documentation in resolved.conf(5) suggests that the compiled-in list does only apply if there is no other definition of DNS-Servers. This is not the case here, and the fact that systemd-resolved takes the definition from /etc/systemd/network/int181.network shows that it knows that there is another definition. For completeness sake, can you please also attach your /etc/systemd/network/* config files and your /etc/systemd/resolved.conf (assuming it differs from the default config) Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#787731: adds google nameserver without being asked to
On Fri, Jun 05, 2015 at 09:45:28PM +0200, Michael Biebl wrote: Am 04.06.2015 um 16:02 schrieb Marc Haber: The documentation in resolved.conf(5) suggests that the compiled-in list does only apply if there is no other definition of DNS-Servers. This is not the case here, and the fact that systemd-resolved takes the definition from /etc/systemd/network/int181.network shows that it knows that there is another definition. For completeness sake, can you please also attach your /etc/systemd/network/* config files and your /etc/systemd/resolved.conf (assuming it differs from the default config) It's a most simple setup. [1/75]mh@ronde:~$ cat /etc/systemd/network/ronde.network [Match] Name=eth0 [Network] Address=192.168.181.14/24 Gateway=192.168.181.254 DNS=192.168.181.12 [2/76]mh@ronde:~$ cat /etc/systemd/resolved.conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # See resolved.conf(5) for details [Resolve] #DNS=8.8.8.8 8.8.4.4 2001:4860:4860:: 2001:4860:4860::8844 [3/77]mh@ronde:~$ sudo systemctl enable systemd-resolved [sudo] password for mh on ronde: Created symlink from /etc/systemd/system/multi-user.target.wants/systemd-resolved.service to /lib/systemd/system/systemd-resolved.service. [4/78]mh@ronde:~$ ls -al /etc/systemd/network/ total 12K drwxr-xr-x 2 root root 4.0K Jun 1 22:34 ./ drwxr-xr-x 6 root root 4.0K Apr 27 16:13 ../ -rw-r--r-- 1 root root 98 Jun 1 22:34 ronde.network [5/79]mh@ronde:~$ sudo systemctl start systemd-resolved [6/80]mh@ronde:~$ cat /run/systemd/resolve/resolv.conf # This file is managed by systemd-resolved(8). Do not edit. # # Third party programs must not access this file directly, but # only through the symlink at /etc/resolv.conf. To manage # resolv.conf(5) in a different way, replace the symlink by a # static file or a different symlink. nameserver 192.168.181.12 nameserver 8.8.8.8 nameserver 8.8.4.4 # Too many DNS servers configured, the following entries may be ignored nameserver 2001:4860:4860:: nameserver 2001:4860:4860::8844 [7/81]mh@ronde:~$ (a test system, took me like two minutes to reproduce) Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things.Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#787731: adds google nameserver without being asked to
Control: tags -1 + fixed-upstream confirmed Control: fixed -1 220-1 Am 05.06.2015 um 21:45 schrieb Michael Biebl: Hi Am 04.06.2015 um 16:02 schrieb Marc Haber: The documentation in resolved.conf(5) suggests that the compiled-in list does only apply if there is no other definition of DNS-Servers. This is not the case here, and the fact that systemd-resolved takes the definition from /etc/systemd/network/int181.network shows that it knows that there is another definition. For completeness sake, can you please also attach your /etc/systemd/network/* config files and your /etc/systemd/resolved.conf (assuming it differs from the default config) I tested with a minimal configuration under jessie's v215 and could reproduce the problem. Upgrading to v220 solved the issue. Thus marking accordingly. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#787731: adds google nameserver without being asked to
Am 05.06.2015 um 17:49 schrieb Marc Haber: On Thu, Jun 04, 2015 at 06:05:04PM +0200, Christoph Anton Mitterer wrote: Anyway, can we merge the issues? Objected. #787731 is a real bug. Just mentioning that the default is a bad default does not make it the same issue. The issue here ist that a default is used while the local admin did what the docs said to avoid defaults from being used. Agreed. Those are separate issues. -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#787731: adds google nameserver without being asked to
On Thu, 2015-06-04 at 16:52 +0200, Marco d'Itri wrote: Having google's resolvers in the first place poses a potential data leak. This was discussed to death in #761658. With basically all affected parties having said that this is a very bad idea, security-wise, privacy-wise and in terms of commercialising Debian... Discussing to death probably means here that the obvious arguments that this is inherently wrong were simply ignored for not good reasons, especially as the advantages of this are pretty much zero. I still wonder when anyone takes the courage to make this a tech-ctte case :-( Anyway, can we merge the issues? Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#787731: adds google nameserver without being asked to
On Jun 04, Marc Haber mh+debian-packa...@zugschlus.de wrote: The documentation in resolved.conf(5) suggests that the compiled-in list does only apply if there is no other definition of DNS-Servers. This is not the case here, and the fact that systemd-resolved takes the definition from /etc/systemd/network/int181.network shows that it knows that there is another definition. There is something wrong here, indeed: networkd should not add other nameservers since you provided one. Having google's resolvers in the first place poses a potential data leak. This was discussed to death in #761658. -- ciao, Marco pgpVrAz61zt_t.pgp Description: PGP signature
Bug#787731: adds google nameserver without being asked to
Package: systemd Version: 215-17 Severity: normal On all systems I checked, there is a file /etc/systemd/resolved.conf with the following contents: [19/516]mh@barrida:~$ cat /etc/systemd/resolved.conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. # # See resolved.conf(5) for details [Resolve] #DNS=8.8.8.8 8.8.4.4 2001:4860:4860:: 2001:4860:4860::8844 [20/517]mh@barrida:~$ If I enable systemd-resolved, this ends up in the following resolv.conf: [16/513]mh@barrida:~$ cat /run/systemd/resolve/resolv.conf # This file is managed by systemd-resolved(8). Do not edit. # # Third party programs must not access this file directly, but # only through the symlink at /etc/resolv.conf. To manage # resolv.conf(5) in a different way, replace the symlink by a # static file or a different symlink. nameserver 192.168.181.12 nameserver 8.8.8.8 nameserver 8.8.4.4 # Too many DNS servers configured, the following entries may be ignored nameserver 2001:4860:4860:: nameserver 2001:4860:4860::8844 [17/514]mh@barrida:~$ Changing the commented out line in resolved.conf does not change anything, so this must be the compiled-in default. The nameserver 192.168.181.12 line that is generated on the system in question originates in /etc/systemd/network/int181.network and is the value that I -want- used. The documentation in resolved.conf(5) suggests that the compiled-in list does only apply if there is no other definition of DNS-Servers. This is not the case here, and the fact that systemd-resolved takes the definition from /etc/systemd/network/int181.network shows that it knows that there is another definition. Having google's resolvers in the first place poses a potential data leak. Greetings Marc -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
