From d33b6cf343f5a1e073c3060878d2cc5fed54d150 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 5 Jan 2016 22:13:56 +0100 Subject: resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers. --- man/resolved.conf.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man/resolved.conf.xml') diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 3209f73bc1..5da2d5488e 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -203,6 +203,15 @@ setting is in effect, unless it is unset in which case the global setting is used instead. + Site-private DNS zones generally conflict with DNSSEC + operation, unless a negative (if the private zone is not + signed) or positive (if the private zone is signed) trust + anchor is configured for them. If + allow-downgrade mode is selected, it is + attempted to detect site-private DNS zones using top-level + domains (TLDs) that are not known by the DNS root server. This + logic does not work in all private zone setups. + Defaults to off. -- cgit v1.2.3-54-g00ecf