On the oss-security mailing list, Sebastian Kramer raised some concerns
about the DNS implementation in systemd-resolved:
<http://www.openwall.com/lists/oss-security/2014/11/12/5>
I share his concerns, particularly those about caching data not directly
pertaining to a response (and they were the reason why I asked about
cache dumping because it's so much easier to show this with this
debugging aid). I don't consider this so much a security vulnerability,
but an interoperability failure in the making (because there are
networks where broken recursive resolvers do not filter out incorrect or
misleading data). So I'm more worried about accidents than attacks.
Some of the other recommendations in RFC 5452 are also relevant to
caching stubs. (Sadly, the RFC is incomplete, there is little public
documentation on how to actually write interoperable DNS resolvers.)
For example, I'm not sure if it is necessary to implement elaborate
CNAME processing, or just cache everything in the answer section with
the expected RR type, irrespective of the owner name of the resource
records, and under the minimum TTL of the entire answer section. Even
if you follow CNAME chains, you should only the initial name (QNAME) as
a cache lookup key, adding the entire CNAME chain still can lead to
cache poisoning.
--
Florian Weimer / Red Hat Product Security
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
