FS#72610 - [systemd] add hostnames to fallback DNS servers

Attached to Project: Arch Linux
Opened by nl6720 (nl6720) - Tuesday, 02 November 2021, 07:15 GMT
Last edited by Christian Hesse (eworm) - Tuesday, 02 November 2021, 10:22 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Upstream added hostnames to fallback DNS servers so that they work when DNS over TLS is enabled.
Please add the appropriate hostnames for Arch's chosen fallback DNS servers in https://github.com/archlinux/svntogit-packages/blob/packages/systemd/trunk/PKGBUILD#L103-L115 .

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any
systemd 249.5-3
https://github.com/systemd/systemd/commit/a83ddc08d66277b9bf1e374a3e1e9bc21ce12cdd

Steps to reproduce:
This task depends upon

Closed by  Christian Hesse (eworm)
Tuesday, 02 November 2021, 10:22 GMT
Reason for closing:  Implemented
Additional comments about closing:  in SVN trunk
Comment by Christian Hesse (eworm) - Tuesday, 02 November 2021, 10:11 GMT
Is this really an issue? Let's check:

% echo | openssl s_client -connect 1.1.1.1:853 2>/dev/null | openssl x509 -in - -noout -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
% echo | openssl s_client -connect 9.9.9.10:853 2>/dev/null | openssl x509 -in - -noout -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
% echo | openssl s_client -connect 8.8.8.8:853 2>/dev/null | openssl x509 -in - -noout -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:dns.google, DNS:dns.google.com, DNS:*.dns.google.com, DNS:8888.google, DNS:dns64.dns.google, IP Address:8.8.8.8, IP Address:8.8.4.4, IP Address:2001:4860:4860:0:0:0:0:8888, IP Address:2001:4860:4860:0:0:0:0:8844, IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:64

All fallback servers do include ip addresses in certificate subject alt name. So everything should be fine, no?

On the other hand... Probably it does not hurt to have it, looks like v249 (see DNS= in man 5 resolved.conf) does support it.
Comment by nl6720 (nl6720) - Tuesday, 02 November 2021, 10:21 GMT
Oh, I didn't actually check. So it appears to not be an issue for these servers.
Still, I'd be nice to closer match with upstream.

Loading...