diff options
author | Ronan Pigott <ronan@rjp.ie> | 2024-03-06 03:03:16 +0100 |
---|---|---|
committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-03-08 00:01:08 +0100 |
commit | abcc94b351ad030bce63568f6c4bc3f97fbaa109 (patch) | |
tree | 4b2dff7cd309948aced1d8ea85e2d2846aa3a740 /src/coredump | |
parent | Add more unit test to cover the uid_range_covers inside the uid-range.c file... (diff) | |
download | systemd-abcc94b351ad030bce63568f6c4bc3f97fbaa109.tar.xz systemd-abcc94b351ad030bce63568f6c4bc3f97fbaa109.zip |
resolved: don't cache NXDOMAIN for SUDN resolver.arpa
The name resolver.arpa is reserved for RFC9462 "Discovery of Designated
Resolvers" (DDR). This relies on regular dns queries for SVCB records at
the special use domain name _dns.resolver.arpa. Unfortunately, older
nameservers (or broken ones) won't know about this SUDN and will likely
return NXDOMAIN. If this is cached, the cache entry will become an
impediment for any clients trying to discover designated resolvers
through the stub-resolver, or potentially even sd-resolved itself, were
it to implement DDR.
The RFC recommendation is that "clients MUST NOT perform A or AAAA
queries for resolver.arpa", and "resolvers SHOULD respond to queries of
any type other than SVCB for _dns.resolver.arpa. with NODATA and queries
of any type for any domain name under resolver.arpa with NODATA." which
should help avoid potential compatibility issues. This enforces that
condition within sd-resolved, and avoids caching any such erroneous
NXDOMAIN.
The RFC also recommends requests for this domain should never be
forwarded, to prevent authentication failures. Since there isn't much
point in establishing secure communication to the local stub, we still
allow SVCB to be forwarded from the stub, in case the client cares to
implement some other authentication method and understands the
consequences of skipping the local stub. Normal clients are not
expected to implement DDR, but this change will protect sd-resolved's
own caches in case they try.
Although A and AAAA are prohibited, I think validating resolvers
might reasonably query for dnssec records, even though the resolver.arpa
zone does not exist (it is declared to be a locally served zone). For
this reason, I have also added resolver.arpa to the builtin dnssec NTA.
Diffstat (limited to 'src/coredump')
0 files changed, 0 insertions, 0 deletions