[systemd-devel] systemd-resolved: Concerns raised about cache handling

Florian Weimer fweimer at redhat.com
Mon Nov 17 10:43:28 PST 2014

On the oss-security mailing list, Sebastian Kramer raised some concerns 
about the DNS implementation in systemd-resolved:


I share his concerns, particularly those about caching data not directly 
pertaining to a response (and they were the reason why I asked about 
cache dumping because it's so much easier to show this with this 
debugging aid).  I don't consider this so much a security vulnerability, 
but an interoperability failure in the making (because there are 
networks where broken recursive resolvers do not filter out incorrect or 
misleading data).  So I'm more worried about accidents than attacks.

Some of the other recommendations in RFC 5452 are also relevant to 
caching stubs.  (Sadly, the RFC is incomplete, there is little public 
documentation on how to actually write interoperable DNS resolvers.)

For example, I'm not sure if it is necessary to implement elaborate 
CNAME processing, or just cache everything in the answer section with 
the expected RR type, irrespective of the owner name of the resource 
records, and under the minimum TTL of the entire answer section.  Even 
if you follow CNAME chains, you should only the initial name (QNAME) as 
a cache lookup key, adding the entire CNAME chain still can lead to 
cache poisoning.

Florian Weimer / Red Hat Product Security

More information about the systemd-devel mailing list