** Description changed: DNSSEC is an established DNS extension that allows to cryptographically sign & validate DNS records. It can be enabled in “auto” (fallback) mode, which does not enforce signed records, but uses them whenever possible. We should enable that “fallback” mode by default in Ubuntu and provide means to enforce DNSSEC, too. - - It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”: + It is currently turned off by default in systemd-resolved (in Debian & + Ubuntu), due to “compatibility issues with certain network access + points”: * https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996 While upstream systemd recommends the usage of `default-dnssec=allow- downgrade`. - Some specific issues observed in the past: - bug #1628778 - bug #1682499 - bug #1690605 - bug #1857639 + Due to issues like the ones mentioned above, we should provide an easy + way to disable DNSSEC, therefore I think shipping drop-in configs for + systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a + Recommends "systemd-resolved-dnssec" package and (optionally) set + "[Resolve] DNSSEC=yes" manually in a drop-in config in + /etc/systemd/resolved.conf.d/10-dnssec.conf. No need to modify the + "-Ddefault-dnssec==no" build flags. That way the "systemd-resolved- + dnssec" package could be removed to downgrade to "DNSSEC=no" in case of + issues: - Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags. + $ apt remove systemd-resolved-dnssec
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2117730 Title: Enable (opportunistic) DNSSEC To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2117730/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
