*** This bug is a security vulnerability ***
Public security bug reported:
Network Manager in Precise uses a local forwarding DNS server (dnsmasq).
This does not perform DNSSEC validation, although it is configured to
proxy the DNSSEC validation result from the upstream server, for which
the manpage mentions the following caveat:
"You should only do this if you trust all the configured upstream
nameservers and the network between you and them."
Since not all networks or upstream DNS servers are trustworthy, the
safest place to perform DNSSEC validation is on the client. Using a
local DNS server which cannot validate is a missed opportunity; by
replacing dnsmasq with a more-capable DNS server (e.g. Unbound) security
against DNS poisoning and MITM attacks could be improved.
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/995332
Title:
Validate DNSSEC by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/995332/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
