** Description changed:
[impact]
without trust-ad resolv.conf option, glibc will strip AD from systemd-
resolved responses. one thing this will prevent working is ssh/sftp
VerifyHostKeyDNS
[test case]
TBD
[regression potential]
- TBD
+ regressions would likely involve DNS lookup failures, probably if DNSSEC
+ is enabled but possibly even without, and likely when the application
+ requesting the dns lookup processes the response AD.
[scope]
this is needed only in focal.
glibc first stripped the AD in version 2.31, so this is not needed in
bionic or earlier.
this was added upstream in commit a742f9828ea which was included in
v246, so this is fixed already in groovy.
[original description]
Hi,
1)
Description: Ubuntu 20.04.1 LTS
Release: 20.04
2)
systemd: 245.4-4ubuntu3.2
3)
I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
4)
I still get the security question
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
The issue is known and fixed in systemd v246.
https://github.com/systemd/systemd/pull/16072
Best regards
Daniel
** Changed in: systemd (Ubuntu Focal)
Assignee: (unassigned) => Dan Streetman (ddstreet)
** Changed in: systemd (Ubuntu Focal)
Importance: Undecided => Medium
** Changed in: systemd (Ubuntu Focal)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1897744
Title:
VerifyHostKeyDNS not working due to missing trust-ad flag
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1897744/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
