diff -Nru systemd-242/debian/changelog systemd-242/debian/changelog --- systemd-242/debian/changelog 2019-10-02 14:13:28.000000000 +0200 +++ systemd-242/debian/changelog 2019-10-04 20:36:18.000000000 +0200 @@ -1,3 +1,12 @@ +systemd (242-7ubuntu2) eoan; urgency=medium + + * d/p/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch + Fix regression introduced by + resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch when + DNSSEC=yes (LP: #1796501) + + -- Victor Tapia Fri, 04 Oct 2019 20:36:18 +0200 + systemd (242-7ubuntu1) eoan; urgency=medium * Merge from unstable diff -Nru systemd-242/debian/patches/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch systemd-242/debian/patches/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch --- systemd-242/debian/patches/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch 1970-01-01 01:00:00.000000000 +0100 +++ systemd-242/debian/patches/resolved_disable-connection-downgrade-when-DNSSEC-yes.patch 2019-10-04 20:36:18.000000000 +0200 @@ -0,0 +1,45 @@ +From: Victor Tapia +Date: Fri, 04 Oct 2019 22:25:11 +0100 +Subject: resolved: disable connection downgrade when DNSSEC=yes. + +resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch introduced a +regression for clients with DNSSEC=yes when the connection is downgraded to +UDP+EDNS0, marking the DNS server as incompatible and disabling DNS resolution. +This patch is a refresh of the PR commit disables the downgrade when DNSSEC=yes. + +PR: https://github.com/systemd/systemd/pull/8608 + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796501 +--- +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -1027,24 +1027,24 @@ + /* Some captive portals are special in that the Aruba/Datavalet hardware will miss replacing the + * packets with the local server IP to point to the authenticated side of the network if EDNS0 is + * enabled. Instead they return NXDOMAIN, with DO bit set to zero... nothing to see here, yet respond +- * with the captive portal IP, when using UDP level. ++ * with the captive portal IP, when using the more simple UDP level. + * + * Common portal names that fail like so are: + * secure.datavalet.io + * securelogin.arubanetworks.com + * securelogin.networks.mycompany.com + * +- * Thus retry NXDOMAIN RCODES for "secure" things with a lower feature level. ++ * Thus retry NXDOMAIN RCODES with a lower feature level. + * + * Do not "clamp" the feature level down, as the captive portal should not be lying for the wider +- * internet (e.g. _other_ queries were observed fine with EDNS0 on these networks) ++ * internet (e.g. _other_ queries were observed fine with EDNS0 on these networks, post auth) + * + * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md + */ +- if (DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN && t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { ++ if (DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN && t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0 && t->scope->dnssec_mode != DNSSEC_YES) { + char key_str[DNS_RESOURCE_KEY_STRING_MAX]; + dns_resource_key_to_string(t->key, key_str, sizeof key_str); +- t->current_feature_level = t->current_feature_level - 1; ++ t->current_feature_level = DNS_SERVER_FEATURE_LEVEL_UDP; + log_warning("Server returned error %s, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level %s.", + dns_rcode_to_string(DNS_PACKET_RCODE(p)), + dns_server_feature_level_to_string(t->current_feature_level)); diff -Nru systemd-242/debian/patches/series systemd-242/debian/patches/series --- systemd-242/debian/patches/series 2019-10-02 14:13:28.000000000 +0200 +++ systemd-242/debian/patches/series 2019-10-04 20:36:18.000000000 +0200 @@ -61,3 +61,4 @@ rdrand-workaround-on-amd.patch Skip-falling-back-to-device-name-when-net_get_name-device.patch test-execute-Filter-dev-.lxc-in-exec-dynamicuser-statedir.patch +resolved_disable-connection-downgrade-when-DNSSEC-yes.patch