Package: systemd Version: 230-7 Severity: wishlist Hi,
dnssec-trust-anchors.d(5) says: "Negative trust anchors are useful to support private DNS subtrees that are not referenced from the Internet DNS hierarchy, and not signed." "If no negative trust anchor files are configured a built-in set of well-known private DNS zone domains is used as negative trust anchors." The DNSSEC default negative trust anchors for systemd-resolved seem to be defined in [1]. There are reverse DNS domains for the RFC 1918 address space (10.0.0.0/8, 192.168.0.0/16 etc.) listed, but not for IPv6 Unique Local addresses [2], the equivalent for IPv6. That means that, when systemd-resolved's DNSSEC support is enabled, site-locally defined reverse DNS for IPv4 private addresses will resolve with systemd-resolved out-of-the-box, while site-locally defined reverse DNS for IPv6 Unique Local addresses will not. It has to be configured as a DNSSEC negative trust anchor, first, which also makes it necessary to configure the systemd-resolved default negative anchors explicitly, too. (This happens as *.negative files in /etc/dnssec-trust-anchors.d/ ) The current defaults give RFC 6761 as reason for inclusion, but that does not seem to talk about DNSSEC. And the reason given in [1] simply is: "RFC 6761 says that these reverse IP lookup ranges are for private addresses, and hence should not show up in the root zone" The same can be claimed for d.f.ip6.arpa via RFC 4193 [2]: "Reverse (address-to-name) queries for locally assigned IPv6 Local addresses MUST NOT be sent to name servers for the global DNS, [...]." "The recommended way to avoid sending such queries to nameservers for the global DNS is for recursive name server implementations to act as if they were authoritative for an empty d.f.ip6.arpa zone and return RCODE 3 for any such query. [...] if the site administrator has not set up the reverse tree corresponding to the locally assigned IPv6 Local addresses in use, returning RCODE 3 is in fact the correct answer." So if the site administrator has set up the reverse tree for the IPv6 Unique Local addresses in use, there would be no trust path from the root zone, so to use the set up data, a negative trust anchor is necessary. It should qualify as a "private DNS subtree[] that [is] not referenced from the Internet DNS hierarchy, and not signed", as quoted in the beginning of this report. IPv6 Unique Local addresses reverse DNS should also qualify as a "well-known private DNS zone domain[]". So please include d.f.ip6.arpa in the list of default negative trust anchors. Regards, Fabian [1] https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/src/resolve/resolved-dns-trust-anchor.c#n101 [2] RFC 4193 "Unique Local IPv6 Unicast Addresses", e.g., https://tools.ietf.org/html/rfc4193 -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.5.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3 ii libapparmor1 2.10.95-4 ii libaudit1 1:2.6.5-1 ii libblkid1 2.28-6 ii libc6 2.23-4 ii libcap2 1:2.25-1 ii libcap2-bin 1:2.25-1 ii libcryptsetup4 2:1.7.0-2 ii libgcrypt20 1.7.2-2 ii libgpg-error0 1.24-1 ii libidn11 1.33-1 ii libkmod2 22-1.1 ii liblzma5 5.1.1alpha+20120614-2.1 ii libmount1 2.28-6 ii libpam0g 1.1.8-3.3 ii libseccomp2 2.3.1-2 ii libselinux1 2.5-3 ii libsystemd0 230-7 ii mount 2.28-6 ii util-linux 2.28-6 Versions of packages systemd recommends: ii dbus 1.10.8-1 ii libpam-systemd 230-7 Versions of packages systemd suggests: ii policykit-1 0.105-16 ii systemd-container 230-7 pn systemd-ui <none> Versions of packages systemd is related to: ii udev 230-7 -- Configuration Files: /etc/systemd/system.conf changed [not included] -- no debconf information
