Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC
Package: libc6
Version: 2.13-34
Severity: Serious
Tags: security
Hi!
I am submitting this report as there seems to be no easy way to get
DNSSEC validation happening for all DNS lookups. This is a litmus test
to make sure we cover this matter, or see if we have an easy procedure
in wheezy to enable client DNSSEC validation.
With the DNS root zone now signed, and .org and .net, and many soon to
be done country specific TLDs, there does not appear to be any easy way
of taking advantage of this in wheezy or sid.
>From my investigations this can only be enabled by recompiling each bit
of software to set the RES_USE_DNSSEC flag in _res.options, as well as
RES_USE_EDNS0. (Please see racoon bug #679483). The enablement method
is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c
Please create a resolv.conf flag so that RES_USE_DNSSEC is available
to the systems administrator, and maybe a debconf screen to select it.
This is about proactively avoiding DNS spoofing and securing against it.
Regards,
Matthew Grant
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libc6 depends on:
ii libc-bin 2.13-34
ii libgcc1 1:4.7.1-2
libc6 recommends no packages.
Versions of packages libc6 suggests:
ii debconf [debconf-2.0] 1.5.44
ii glibc-doc 2.13-34
ii locales 2.13-34
-- debconf information:
glibc/upgrade: true
glibc/disable-screensaver:
glibc/restart-failed:
glibc/restart-services:
libraries/restart-without-asking: false
Reply to: