Mailinglist Archive: opensuse (1261 mails)

< Previous Next >
[opensuse] ubuntu reports probs w/new sysd DNS this going to hit openSUSE?
Warning! This could be alot of "nonsense" and be a potentially reactive
topic. Please don't escalate things emotionally or no one will ever
understand what the facts are.
That said, I see some trends/repeated behavior+history consistent
with sysd's expansion into other OS functions,
so I see no reason to completely disbelieve some of the statements
I've read or try to summarize below.

Does anyone know what's happening in OpenSUSE related to this?
Will it be generating the same types of instability and problems?

Will opensuse still support other DNS resolvers (bind/named, dnsmasq,
etc) even if they are incompatible with new sysd operation?

/There is a sysxxxd vulnerability <> in the latest ubuntu distributions due to sysxxxd's new DNS resolver. The inclusion of the dns resolver was lamented by many on the mailing list <>, not without cause. All are advised to update their distribution./

New features include(**)

-taking over glibc library functions gethostbyname & getaddrinfo in nsswitch to
redirect dns calls into sysd's version

-changes /etc/resolv.conf creating race conditions with various SW packages. leading to inconsistent address resolution

- turns DNS requests into XML requests fed over the sysdbus for requests and answers, duplicating DNS protocol handling code requiring sysd to keep up with
DNS changes.

- does forwarding-only & relies on DHCP for a full DNS server stripping off
DNS security records in the process so sysd-local changes can't be detected
by local applications.

- scans for its own group of DNS servers on all interfaces and sends out
DNS queries on all ports using "first-received" answers vs. authoritative
answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned
DNS info.

- believed not to handle split DNS schemes needed for VPN setups to work


Apparently sysd's DNS changes haven't gone over well in terms of interoperability w/existing DNS -- a persistent theme as sysd takes on a
new system function/area.

_I_ have more than a little anxiety over the idea that all alternate DNS
solutions will be thrown out..


To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >