Friday, 24 June 2016

Re: ANN: DNS resolver changes in yakkety

Marc Deslauriers [2016-06-16 12:06 +0300]:
> Both of those security issues are resolved by adding an option to disable
> caching.

I landed this upstream yesterday: https://github.com/systemd/systemd/pull/3592
I also pulled it into the Debian packaging git, so the next Ubuntu
sync will get this.

> The remaining question is whether or not to disable caching by default.
>
> Both issues are pretty low-severity. I believe turning on caching will improve
> the user experience, so I'm slightly conflicted on what the default should be.

Yeah, me too. The upstream default continues to be "on", but we of
course have the choice to change this downstream. After the discussion
my gut feeling is still that the advantages of caching outweigh the
downsides, but at this point this is not really a technical argument
any more but a subjective one.

> If the option to turn it off on multiuser systems is easy, I believe I'm leaning
> toward leaving caching on by default. Other operating systems apparently enable
> system-wide DNS caching by default, and administrators of multiuser systems can
> easily turn it off it's a concern to them.

We have the possibility of doing it on a per-package or per-image
basis, by shipping a /lib/systemd/resolved.conf.d/nocache.conf. Or of
course changing the default in the package.

> For touch and confined applications, if this turns out to be a privacy concern
> for our users, we can either turn off caching by default for the touch devices,
> or we can disable caching only for confined applications by adding some sort of
> AppArmor integration.

I'm not sure how AppArmor or MAC in general could influence this. The
only way "around" this would be to change nsswitch.conf for that
particular process to not use "resolve" at all, but direct queries of
the upstream DNS servers, but this would again break link specific DNS
servers. So realistically this appears to me as a system-global
decision.

Martin

--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel