Public bug reported: DNSSEC is an established DNS extension that allows to cryptographically sign & validate DNS records. It can be enabled in “auto” (fallback) mode, which does not enforce signed records, but uses them whenever possible. We should enable that “fallback” mode by default in Ubuntu and provide means to enforce DNSSEC, too.
It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”: * https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996 While upstream systemd recommends the usage of `default-dnssec=allow- downgrade`. Some specific issues observed in the past: - bug #1628778 - bug #1682499 - bug #1690605 - bug #1857639 Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags. ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Affects: dnsmasq (Ubuntu) Importance: Undecided Status: New ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Also affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Also affects: dnsmasq (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2117730 Title: Enable (opportunistic) DNSSEC Status in bind9 package in Ubuntu: New Status in dnsmasq package in Ubuntu: New Status in systemd package in Ubuntu: New Bug description: DNSSEC is an established DNS extension that allows to cryptographically sign & validate DNS records. It can be enabled in “auto” (fallback) mode, which does not enforce signed records, but uses them whenever possible. We should enable that “fallback” mode by default in Ubuntu and provide means to enforce DNSSEC, too. It is currently turned off by default in systemd-resolved (in Debian & Ubuntu), due to “compatibility issues with certain network access points”: * https://salsa.debian.org/systemd-team/systemd/-/commit/e99d4d7c1f8fba6ea197c6dd7ecf6c7f0e8ac894 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959996 While upstream systemd recommends the usage of `default-dnssec=allow- downgrade`. Some specific issues observed in the past: - bug #1628778 - bug #1682499 - bug #1690605 - bug #1857639 Due to issues like the ones mentioned above, we should provide an easy way to disable DNSSEC, therefore I think shipping drop-in configs for systemd-resolved to set "[Resolve] DNSSEC=allow-downgrade" via a Recommends "systemd-resolved-dnssec" package and set "[Resolve] DNSSEC=yes" via an (optional) systemd-resolved-dnssec-force package might be a feasible path. That way the "*-dnssec*" packages could be removed to downgrade to "DNSSEC=no" while the "*-dnssec-force" package could be installed to upgrade to "DNSSEC=yes" and "DNSSEC=allow-downgrade" could remain the default. No need to modify the "-Ddefault-dnssec==no" build flags. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/2117730/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
