Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You mean the article or the feature? The article is dated by 22/11/2014. The feature may have been added a few months/years ago, but the point still stands about systemd showing signs of feature creep. Note also the DNS resolver issue[0]

[0] - http://seclists.org/oss-sec/2014/q4/592



The feature was added in 2012 or something, whenever the log support came.

The DNS issue affects not just systemd but any stub resolver.


The DNS issue is worth in systemd's resolver because it is NOT merely a "stub resolver" - it implements a cache. From the same thread:

"The DNS specification does not require rewriting of upstream responses to filter out parts for which the queried server is not authoritative. This means that a downstream caching resolver will tend to poison its cache if it adds data from such responses that are not directly in response to the QNAME."

http://seclists.org/oss-sec/2014/q4/602

Adding entries (including additional records, which are common in DNS) without validation is just asking for a DNS poisoning attack.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: