resolved: turn on DNSSEC by default, unless configured otherwise

Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.

DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.

diff --git a/Makefile.am b/Makefile.am
index 9bc0bf2c057c723f05dd5dd5d0fac8e0a4ad6a9e..8c151f538fceb0353a9d4a035499b84d16d9c5f5 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -5759,6 +5759,7 @@ substitutions = \
        '|PYTHON=$(PYTHON)|' \
        '|NTP_SERVERS=$(NTP_SERVERS)|' \
        '|DNS_SERVERS=$(DNS_SERVERS)|' \
+       '|DEFAULT_DNSSEC_MODE=$(DEFAULT_DNSSEC_MODE)|' \
        '|systemuidmax=$(SYSTEM_UID_MAX)|' \
        '|systemgidmax=$(SYSTEM_GID_MAX)|' \
        '|TTY_GID=$(TTY_GID)|' \

diff --git a/NEWS b/NEWS
index 80e59c53d39ed59116c6a828081264949644ccb0..0cce79443b1f9d1745ec74eb98841a969afbfcd2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,23 @@ systemd System and Service Manager
 
 CHANGES WITH 230 in spe:
 
+        * DNSSEC is now turned on by default in systemd-resolved (in
+          "allow-downgrade" mode), but may be turned off during compile time by
+          passing "--with-default-dnssec=no" to "configure" (and of course,
+          during runtime with DNSSEC= in resolved.conf). We recommend
+          downstreams to leave this on at least during development cycles and
+          report any issues with the DNSSEC logic upstream. We are very
+          interested in collecting feedback about the DNSSEC validator and its
+          limitations in the wild. Note however, that DNSSEC support is
+          probably nothing downstreams should turn on in stable distros just
+          yet, as it might create incompabilities with a few DNS servers and
+          networks. We tried hard to make sure we downgrade to non-DNSSEC mode
+          automatically whenever we detect such incompatible setups, but there
+          might be systems we do not cover yet. Hence: please help us testing
+          the DNSSEC code, leave this on where you can, report back, but then
+          again don't consider turning this on in your stable, LTS or
+          production release just yet.
+
         * Testing tool /usr/lib/systemd/systemd-activate is renamed to
           systemd-socket-activate and installed into /usr/bin. It is now fully
           supported.

diff --git a/configure.ac b/configure.ac
index 262f9e4fff627a3b35415c24af12a5a79a46488a..e72470a1999718867f4623ce37c4156ae45b7497 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1128,6 +1128,20 @@ AC_ARG_WITH(dns-servers,
 AC_DEFINE_UNQUOTED(DNS_SERVERS, ["$DNS_SERVERS"], [Default DNS Servers])
 AC_SUBST(DNS_SERVERS)
 
+AC_ARG_WITH(default-dnssec,
+        AS_HELP_STRING([--with-default-dnssec=MODE],
+               [Default DNSSEC mode, defaults to "allow-downgrade"]),
+        [DEFAULT_DNSSEC_MODE="$withval"],
+        [DEFAULT_DNSSEC_MODE="allow-downgrade"])
+
+AS_CASE("x${DEFAULT_DNSSEC_MODE}",
+        [xno], [mode=DNSSEC_NO],
+        [xyes], [mode=DNSSEC_YES],
+        [xallow-downgrade], [mode=DNSSEC_ALLOW_DOWNGRADE],
+        AC_MSG_ERROR(Bad DNSSEC mode ${DEFAULT_DNSSEC_MODE}))
+AC_DEFINE_UNQUOTED(DEFAULT_DNSSEC_MODE, [$mode], [Default DNSSEC mode])
+AC_SUBST(DEFAULT_DNSSEC_MODE)
+
 # ------------------------------------------------------------------------------
 have_networkd=no
 AC_ARG_ENABLE(networkd, AS_HELP_STRING([--disable-networkd], [disable networkd]))
@@ -1559,12 +1573,13 @@ AC_MSG_RESULT([
         hostnamed:               ${have_hostnamed}
         timedated:               ${have_timedated}
         timesyncd:               ${have_timesyncd}
-        default NTP servers:     ${NTP_SERVERS}
+        Default NTP servers:     ${NTP_SERVERS}
         time epoch:              ${TIME_EPOCH}
         localed:                 ${have_localed}
         networkd:                ${have_networkd}
         resolved:                ${have_resolved}
-        default DNS servers:     ${DNS_SERVERS}
+        Default DNS servers:     ${DNS_SERVERS}
+        Default DNSSEC mode:     ${DEFAULT_DNSSEC_MODE}
         coredump:                ${have_coredump}
         polkit:                  ${have_polkit}
         efi:                     ${have_efi}

diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index bf5efe4cfa142f2827ec6d03420ef3bca1a0325d..09e15fa2303bbe864d7bdd095f29a981bd555f8c 100644 (file)
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -485,7 +485,7 @@ int manager_new(Manager **ret) {
 
         m->llmnr_support = RESOLVE_SUPPORT_YES;
         m->mdns_support = RESOLVE_SUPPORT_NO;
-        m->dnssec_mode = DNSSEC_NO;
+        m->dnssec_mode = DEFAULT_DNSSEC_MODE;
         m->read_resolv_conf = true;
         m->need_builtin_fallbacks = true;
         m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY;

diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index efc9c6733a3cfb23efe4e53f71f3294ecf21979c..a28858892463f77506cde4a4ff664ba77d368ab7 100644 (file)
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -16,4 +16,4 @@
 #FallbackDNS=@DNS_SERVERS@
 #Domains=
 #LLMNR=yes
-#DNSSEC=no
+#DNSSEC=@DEFAULT_DNSSEC_MODE@