Dev/systemd-resolved
Donate
systemd-resolved is systemd's DNS stub resolver and caching service. This page documents DNSSEC-related behavior, security considerations, and selected upstream discussions relevant to Kicksecure.
Introduction
[edit]DNS resolution is security critical. If an attacker can influence DNS replies, they may be able to redirect traffic, weaken transport security assumptions, or selectively censor access.
This page documents systemd-resolved behavior and upstream discussions relevant to DNSSEC and related security expectations.
systemd-resolved Insecurity
[edit]Due to the history described in Handling of Bug - systemd-resolved DNSSEC validation can be bypassed by MITM, systemd-resolved is considered unsuitable for Kicksecure.
systemd-resolved DNSSEC Development Priority
[edit]DNSSEC is a low priority for systemd-resolved developers.
But yes, DNSSEC issues are not a high priority for us at the moment. Other DNS issues are more relevant.July 2023: Lennart Poettering, systemd developer
Handling of Bug - systemd-resolved DNSSEC validation can be bypassed by MITM
[edit]Summary
[edit]It took the systemd developers at least 1 year to fix the DNSSEC-related security issue resolved DNSSEC validation can be bypassed by MITM
in systemd-resolved.
- Timeline: Privately reported in October 2022; publicly reported in December 2022; fixed upstream in December 2023.
- CVE mention and backports: CVE-2023-7008 was mentioned in the public issue discussion on December 22, 2023; stable backport updates were posted on December 24, 2023.
- References: Upstream bug report | CVE page | Downstream tracking
- Status: Fixed.
A closely related (or even duplicate?) security issue systemd-resolved: DNSSEC doesn't prevent MITM had been reported already in 2020.
Details
[edit]The following are verbatim excerpts from the upstream issue thread and related references, presented to document the timeline and statements made by participants.
October 2022 to November 2022 (attempted private disclosure, as described by the reporter):
Please note that I have repeatedly tried to report this issue to the systemd-security mailing list. I sent a mail with the details and reproduction steps to the systemd-security address on Oct 6th, Oct 14th and Oct 22nd. I first received a reply on Oct 24th from Lennart Poettering, asking for some basic system information, which I provided on the same day. Then I received no further reply, so I sent the report one more time to systemd-security on Nov 7th. The next day Poettering replied to my previous mail, asking for a debug log, but not directly acknowledging the issue. I sent debug logs on Nov 10th and haven't heard back from anyone since then.https://github.com/systemd/systemd/issues/25676
December 8, 2022 (issue opened):
opened on Dec 8, 2022https://github.com/systemd/systemd/issues/25676
July 12, 2023 (third-party confirmation in-thread):
Yes, I confirm this is a serious bug. It allows downgrading to unsigned responses, which are accepted by resolved just fine. Anyone who just strips signatures can forge anything they want.https://github.com/systemd/systemd/issues/25676#issuecomment-1632289169
July 13, 2023 (upstream maintainer statement about prioritization and status):
The DNSSEC support in resolved is off by default for a reason, and it's not complete.Lennart Poettering, systemd developer
July 13, 2023 (upstream maintainer statement about prioritization):
But yes, DNSSEC issues are not a high priority for us at the moment. Other DNS issues are more relevant.Lennart Poettering, systemd developer
December 1, 2023 (status inquiry in-thread):
any progress fixing this issue? At least some candidate fixes?https://github.com/systemd/systemd/issues/25676#issuecomment-1835842530
December 20, 2023 (fix work referenced in-thread):
resolved: actually check authenticated flag of SOA transactionhttps://github.com/systemd/systemd/issues/25676#issuecomment-1835842530
December 21, 2023 (issue closed as completed):
closed this as completed in #30549
December 22, 2023 (downstream CVE triage noted in-thread):
Doing some CVE triage in another downstream distribution, I noticed https://bugzilla.redhat.com/show_bug.cgi?id=2222672
December 22, 2023 (CVE request attribution, as stated in-thread):
I did, I requested a review by Red Hat security response team.https://github.com/systemd/systemd/issues/25676#issuecomment-1867901065
December 22, 2023 (reporter statement about CVE request):
(I did however not request this CVE.)https://github.com/systemd/systemd/issues/25676#issuecomment-1867564181
December 24, 2023 (stable backports listed in-thread):
Ok the following backported commits with associated stable tags have been pushed:@bluca, Luca Boccassi, systemd developer
FWIW this issue has been known since 2020: #15158
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2026 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!