Ubuntu
glibc package

dns resolver does not support dnssec

Bug #288011 reported by Curt Sampson on 2008-10-23

294

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	glibc (Ubuntu)	Fix Released	Wishlist	Unassigned

Bug Description

RES_USE_DNSSEC is not defined in /usr/include/resolv.h. Even if I do set bit 0x02000000 (the usual definition of this) in the options for res_query, and I have "options edns0" in my resolv.conf, I don't get an authenticated response from the server.

I've attached a pcap file with three queries. The first is generated by DIG, and shows that the server is authenticating data when requested. The second and third were generated by OpenSSH. I note that the first and third queries appear to be identical except for the port number and request ID; from the trace I cannot see why the server authenticated the first response, but not the second.

Anyway, this is a security issue for those of us who rely on DNSSEC.

Tags:

Revision history for this message

Curt Sampson (cjs-cynic) wrote on 2008-10-23:

dnssec.pcap Edit (3.8 KiB, application/cap)

Jamie Strandboge (jdstrand) on 2009-01-30

Changed in glibc:
status:	New → Confirmed
importance:	Undecided → Wishlist

Revision history for this message

Hauke Lampe (hauke) wrote on 2009-07-06:

Add RES_USE_DNSSEC to glibc resolver options Edit (1.6 KiB, text/plain)

Here's one for the wishlist:

This patch allows applications to set the RES_USE_DNSSEC resolver option, so that the resolver adds DO=1 in EDNS0 queries. EDNS0 needs to be enabled with RES_USE_EDNS0 or "options edns0" in /etc/resolv.conf

It does not include any form of DNSSEC validation.

This patch also adds "options dnssec-ok" for /etc/resolv.conf, though it should be used only when really needed.

More words here:
http://bd.hauke-lampe.de/dnssec/adding-res_use_dnssec-to-glibc.html

Revision history for this message

Hauke Lampe (hauke) wrote on 2009-09-05:

RES_USE_DNSSEC & anslen patch for glibc 2.9, backported from 2.11 (excluding the Changelog file) Edit (3.3 KiB, text/plain)

glibc 2.11 supports RES_USE_DNSSEC:
http://sources.redhat.com/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2d0671cbbdade9013d6fd5153d01bd5e1d3f60cb

Attached is a backport patch from 2.11 against Ubuntu's glibc-2.9-4ubuntu6.1, including a necessary bugfix for https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/395196

Revision history for this message

Hauke Lampe (hauke) wrote on 2009-11-03:

Followup: Thanks to the nice PPA system, I now have binary packages available for libc and openssh:
https://launchpad.net/~hauke/+archive/dnssec-enabled (jaunty and karmic tested, hardy untested)

http://bd.hauke-lampe.de/dnssec/dnssec-enabled-ubuntu-packages.html

Fred (eldmannen+launchpad) on 2010-06-01

tags:	added: dnssec
tags:	added: dns

Steve Beattie (sbeattie) on 2010-06-24

tags:	added: patch-needswork
tags:	added: patch removed: patch-needswork

Revision history for this message

Neal McBurnett (nealmcb) wrote on 2015-05-25:

What is the status of this for currently supported Ubuntu distributions?

Revision history for this message

Laurent Bonnaud (laurent-bonnaud) wrote on 2017-03-12:

Ubuntu 17.04 now uses systemd-resolved to perform DNS resolution and systemd-resolved does support DNSSEC:

# journalctl |grep DNSSEC
Mar 12 14:57:53 xeelee systemd-resolved[25023]: DNSSEC validation failed for question ubuntu.com IN DS: failed-auxiliary
Mar 12 14:57:53 xeelee systemd-resolved[25023]: DNSSEC validation failed for question ubuntu.com IN SOA: failed-auxiliary