Re: Re: CVE-request: systemd-resolved DNS cache poisoning

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On 11/13/2014 04:56 AM, Florian Weimer wrote:
> I asked Bert to be sure, and he says that it was his intent that the
> advice applied to non-recursive resolvers as well.  (Note that
> systemd-resolved is more than a minimal stub because it has a cache.)

I have to agree with Florian here.

It's possible that rfc5452 was the wrong citation, since it seems to be
devoted mainly to making sure that you don't accept packets from remote
DNS servers you didn't request them from.

the problem with systemd-resolved as i understand it not that it's
accepting packets from DNS servers it didn't request from, but that it's
caching unrelated responses in those records.

This isn't typically an issue for cache-less stub resolvers, because
they're being invoked by things like gethostbyname(), which might
receive the extra information but won't actually process it, cache it,
or do anything with it.

It sounds like a vulnerability to me, and i hope that MITRE will
reconsider its decision here.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature