resolved: actually check authenticated flag of SOA transaction

[msekletar]

Fixes #25676

[msekletar]

I tried to take a stab at #25676 and this is what I came up with, it seems to fix the issue but please review it carefully as I am not really resolved expert.

[yuwata]

@poettering Could you double check?

[poettering]

ouch.

lgtm

[pemensik]

I have taken a look into this commit and it seemed a way too simple to fix the issue properly. I made my own rawhide build with added only this patch on top of last build.

As I have suspected this change IS NOT sufficient to prevent the cache poisoning. I have used simple addition to libvirt's dnsmasq backed network.

# sudo virsh net-edit default
<network>
  <!-- ... -->
  <dns>
    <txt name='example.net' value='v=spf1 +all'/>
    <host ip='127.0.0.255'>
      <hostname>example.net</hostname>
    </host>
  </dns>
  <!-- ... -->
</network>

Unless I have made mistake with build, this is not sufficient fix. It may protect SOA query itself, but does not protect other records. It is still possible to spoof own records. All example domains ARE signed, so any their spoofing should make them broken and inaccessible.

# resolvectl dnssec
Global: yes
Link 2 (host0): yes
# rpm -q systemd-resolved
systemd-resolved-255.1-2.fc40.x86_64
# resolvectl query example.net
example.net: 127.0.0.255                       -- link: host0
             2606:2800:220:1:248:1893:25c8:1946 -- link: host0

-- Information acquired via protocol DNS in 5.9ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: cache network
# resolvectl query -t txt example.net
example.net IN TXT "v=spf1 +all"                            -- link: host0

-- Information acquired via protocol DNS in 2.1ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: no
-- Data from: network
# delv example.net
;; resolution failed: SERVFAIL
# unbound-host -rvD example.net
example.net has address 127.0.0.255 (BOGUS (security failure))
validation failure <example.net. A IN>: no signatures from 127.0.0.53
example.net has IPv6 address 2606:2800:220:1:248:1893:25c8:1946 (secure)
example.net mail is handled by 0 . (secure)

Edit: Fixed delv and unbound-host checks with LLMNR=no.

[pemensik]

I am afraid it is not as simple as demanding AD bit in SOA queries. First problem is those SOA queries are not necessary anyway. But it is possible to keep SOA query intact and replace just record type you want to modify. That is done by dnsmasq for example, it does not care about zone definitions.

[pemensik]

False alarm, this seems to fix the issue well, but Fedora package does not contain instruction to restart systemd-resolved.service, therefore it had no immediate effect.

[keszybz]

@pemensik Thanks for testing. In case anyone looks here, both issues should now be fixed in Fedora: the patch is included in backports and package scriptlets have been update to restart systemd-resolved on package upgrades.