Hello! As I remember, openSUSE uses two network management frameworks -- Wicked (by default) and NetworkManager (as an alternative). Systemd network management subsystem is not in use and it is absent in SUSE's systemd assembly. I'm not aware about Tumbleweed ( with systemd v233), but Leap (systemd v228) has no native systemd network subsystem exactly. I suppose, Tumbleweed also doesn't contain systemd network subsystem, if there are no other plans somewhere for it. Hence, Leap 42.x is not vulnerable by default. 28.06.2017 23:59, Knurpht - Gertjan Lettink пишет:
Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:
Warning! This could be alot of "nonsense" and be a potentially reactive topic. Please don't escalate things emotionally or no one will ever understand what the facts are.
That said, I see some trends/repeated behavior+history consistent with sysd's expansion into other OS functions, so I see no reason to completely disbelieve some of the statements I've read or try to summarize below.
Does anyone know what's happening in OpenSUSE related to this? Will it be generating the same types of instability and problems?
Will opensuse still support other DNS resolvers (bind/named, dnsmasq, etc) even if they are incompatible with new sysd operation?
/There is a sysxxxd vulnerability <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu distributions due to sysxxxd's new DNS resolver. The inclusion of the dns resolver was lamented by many on the mailing list <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>, not without cause. All are advised to update their distribution./
New features include(**)
-taking over glibc library functions gethostbyname & getaddrinfo in nsswitch to redirect dns calls into sysd's version
-changes /etc/resolv.conf creating race conditions with various SW packages. leading to inconsistent address resolution
- turns DNS requests into XML requests fed over the sysdbus for requests and answers, duplicating DNS protocol handling code requiring sysd to keep up with DNS changes.
- does forwarding-only & relies on DHCP for a full DNS server stripping off DNS security records in the process so sysd-local changes can't be detected by local applications.
- scans for its own group of DNS servers on all interfaces and sends out DNS queries on all ports using "first-received" answers vs. authoritative answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned DNS info.
- believed not to handle split DNS schemes needed for VPN setups to work correctly.
(**- https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)
Apparently sysd's DNS changes haven't gone over well in terms of interoperability w/existing DNS -- a persistent theme as sysd takes on a new system function/area.
_I_ have more than a little anxiety over the idea that all alternate DNS solutions will be thrown out..
comments? Tumbleweed 's already on versionn 233, my bet is that the patch will be backported to Leap's 228 version.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org