From: Bertrand Jacquin Date: Wed, 27 Sep 2023 18:39:52 +0000 (+0100) Subject: resolved: register ipv4only.arpa are private domain X-Git-Tag: v255-rc1~393 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7406ebd5b6949999e94d50dbce4ee7ff41fcced0;p=thirdparty%2Fsystemd.git resolved: register ipv4only.arpa are private domain From RFC 8880: Because the 'ipv4only.arpa' zone has to be an insecure delegation, DNSSEC cannot be used to protect these answers from tampering by malicious devices on the path. Consequently, the 'ipv4only.arpa' zone MUST be an insecure delegation to give DNS64/NAT64 gateways the freedom to synthesize answers to those queries at will, without the answers being rejected by DNSSEC-capable resolvers. DNSSEC-capable resolvers that follow this specification MUST NOT attempt to validate answers received in response to queries for the IPv6 AAAA address records for 'ipv4only.arpa'. Note that the name 'ipv4only.arpa' has no use outside of being used for this special DNS pseudo-query used to learn the DNS64/NAT64 address synthesis prefix, so the lack of DNSSEC security for that name is not a problem. See: https://datatracker.ietf.org/doc/html/rfc8880#name-security-considerations --- diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c index ca670b30f1e..d626638c010 100644 --- a/src/resolve/resolved-dns-trust-anchor.c +++ b/src/resolve/resolved-dns-trust-anchor.c @@ -163,7 +163,15 @@ static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) { "private\0" /* Defined by RFC 8375. The most official choice. */ - "home.arpa\0"; + "home.arpa\0" + + /* RFC 8880 says because the 'ipv4only.arpa' zone has to + * be an insecure delegation, DNSSEC cannot be used to + * protect these answers from tampering by malicious + * devices on the path */ + "ipv4only.arpa\0" + "170.0.0.192.in-addr.arpa\0" + "171.0.0.192.in-addr.arpa\0"; int r;