Mailinglist Archive: opensuse (1261 mails)

< Previous Next >
Re: [opensuse] ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?
Hello!

As I remember, openSUSE uses two network management frameworks -- Wicked
(by default) and NetworkManager (as an alternative).

Systemd network management subsystem is not in use and it is absent in
SUSE's systemd assembly. I'm not aware about Tumbleweed ( with systemd
v233), but Leap (systemd v228) has no native systemd network subsystem
exactly. I suppose, Tumbleweed also doesn't contain systemd network
subsystem, if there are no other plans somewhere for it.

Hence, Leap 42.x is not vulnerable by default.


28.06.2017 23:59, Knurpht - Gertjan Lettink пишет:
Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:
Warning! This could be alot of "nonsense" and be a potentially reactive
topic. Please don't escalate things emotionally or no one will ever
understand what the facts are.

That said, I see some trends/repeated behavior+history consistent
with sysd's expansion into other OS functions,
so I see no reason to completely disbelieve some of the statements
I've read or try to summarize below.

Does anyone know what's happening in OpenSUSE related to this?
Will it be generating the same types of instability and problems?

Will opensuse still support other DNS resolvers (bind/named, dnsmasq,
etc) even if they are incompatible with new sysd operation?


/There is a sysxxxd vulnerability
<https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu
distributions due to sysxxxd's new DNS resolver. The inclusion of the
dns resolver was lamented by many on the mailing list
<https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>,
not without cause. All are advised to update their distribution./


New features include(**)

-taking over glibc library functions gethostbyname & getaddrinfo in
nsswitch to
redirect dns calls into sysd's version

-changes /etc/resolv.conf creating race conditions with various SW
packages. leading to inconsistent address resolution

- turns DNS requests into XML requests fed over the sysdbus for requests
and answers, duplicating DNS protocol handling code requiring sysd to
keep up with
DNS changes.

- does forwarding-only & relies on DHCP for a full DNS server stripping off
DNS security records in the process so sysd-local changes can't be detected
by local applications.

- scans for its own group of DNS servers on all interfaces and sends out
DNS queries on all ports using "first-received" answers vs. authoritative
answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned
DNS info.

- believed not to handle split DNS schemes needed for VPN setups to work
correctly.


(**-
https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)

Apparently sysd's DNS changes haven't gone over well in terms of
interoperability w/existing DNS -- a persistent theme as sysd takes on a
new system function/area.

_I_ have more than a little anxiety over the idea that all alternate DNS
solutions will be thrown out..

comments?
Tumbleweed 's already on versionn 233, my bet is that the patch will be
backported to Leap's 228 version.




--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups