Matthew Grant
2012-Jul-01 21:55 UTC
[Secure-testing-team] Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
Package: libc6 Version: 2.13-34 Severity: Serious Tags: security Hi! I am submitting this report as there seems to be no easy way to get DNSSEC validation happening for all DNS lookups. This is a litmus test to make sure we cover this matter, or see if we have an easy procedure in wheezy to enable client DNSSEC validation. With the DNS root zone now signed, and .org and .net, and many soon to be done country specific TLDs, there does not appear to be any easy way of taking advantage of this in wheezy or sid.>From my investigations this can only be enabled by recompiling each bitof software to set the RES_USE_DNSSEC flag in _res.options, as well as RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c Please create a resolv.conf flag so that RES_USE_DNSSEC is available to the systems administrator, and maybe a debconf screen to select it. This is about proactively avoiding DNS spoofing and securing against it. Regards, Matthew Grant -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-34 ii libgcc1 1:4.7.1-2 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.44 ii glibc-doc 2.13-34 ii locales 2.13-34 -- debconf information: glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: glibc/restart-services: libraries/restart-without-asking: false