[systemd-devel] resolved: does DNSSEC=allow-downgrade affect caching?
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Wed Apr 13 13:46:26 UTC 2016
On Wed, Apr 13, 2016 at 04:43:27PM +0300, Ran Benita wrote:
> On Wed, Apr 13, 2016 at 01:04:17PM +0000, Zbigniew Jędrzejewski-Szmek wrote:
> > On Wed, Apr 13, 2016 at 02:26:49PM +0300, Ran Benita wrote:
> > > coredumpctl doesn't show the crash so can't say what it's about. Maybe
> > > it's a distro problem (archlinux) or it's fixed in git.
> >
> > It's probably the bug that was fixed in https://github.com/systemd/systemd/pull/2702.
>
> Thanks.
>
> BTW, this brings up this thought: say I'm a system administrator and I
> set DNSSEC=yes, and rely on it to fail any unauthenticated lookups. If
> resolved crashes for some reason, the nss module will just start using
> the fallback, which probably doesn't fail unauthenticated lookups. So
> it's fail-open, IIUC. Maybe the nss module should look at the DNSSEC=
> setting?
Good point. Definitely something to consider in the long run.
Zbyszek
More information about the systemd-devel
mailing list