projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 98f6d57) | patch
resolved: address DVE-2018-0001
authorLennart Poettering <lennart@poettering.net>
Thu, 12 Nov 2020 16:05:36 +0000 (17:05 +0100)
committerLennart Poettering <lennart@poettering.net>
Wed, 17 Feb 2021 17:06:13 +0000 (18:06 +0100)
commit1ed4e584f3a03f47d2313314b6b5a78c9dc6f135
treeb7f7fd829832e5f62810d095c4538e011de3355etree | snapshot
parent98f6d5769fbc2905e0d8d8fbe20881b648a6f336commit | diff
resolved: address DVE-2018-0001

This is an updated version of #8608 with more restrictive logic. To
quite the original bug:

    Some captive portals, lie and do not respond with the captive portal
    IP address, if the query is with EDNS0 enabled and D0 bit set to
    zero. Thus retry "secure" domain name look ups with less secure
    methods, upon NXDOMAIN.

https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md

Yes, this fix sucks hard, but I guess this is what we need to do to make
sure resolved works IRL.

Heavily based on the original patch from Dimitri John Ledkov, and I
copied the commentary verbatim.

Replaces: #8608
src/resolve/resolved-dns-transaction.c diff | blob | history
src/resolve/resolved-dns-transaction.h diff | blob | history
https://github.com/systemd/systemd.git