GNU bug report logs - #47823
Hardenize Guix website TLS/DNS

Previous Next

Package: guix;

Reported by: bo0od <bo0od <at> riseup.net>

Date: Fri, 16 Apr 2021 11:01:01 UTC

Severity: normal

Full log

View this message in rfc822 format

From: bo0od <bo0od <at> riseup.net>
To: Julien Lepiller <julien <at> lepiller.eu>, Marius Bakke <marius <at> gnu.org>, Leo Famulari <leo <at> famulari.name>
Cc: 47823 <at> debbugs.gnu.org
Subject: bug#47823: Hardenize Guix website TLS/DNS
Date: Tue, 25 May 2021 16:37:47 +0000

If the server configured DNSSEC in a bad way then for surely it wont 
work and thats what happened with gnu.org if you read this ticket:

https://github.com/systemd/systemd/issues/9867

This ticket show clearly that the operators of gnu.org didnt fix their 
bad DNSSEC configuration despite being pointed out to them.

https://danwin1210.me

e.g This domain use DNSSEC where is the problem connecting to it?


Julien Lepiller:
> No, resolved is on the client side. This means that they managed to set up dnssec, but some clients who use systemd (most Linux users) can't connect to gnu.org domains anymore. I don't think this is acceptable :)
> 
> Le 25 mai 2021 08:51:29 GMT-04:00, bo0od <bo0od <at> riseup.net> a écrit :
>> Then dont use systemd to do that. There many other methods/tools to
>> achieve having it.
>>
>> Marius Bakke:
>>> Julien Lepiller <julien <at> lepiller.eu> skriver:
>>>
>>>> Le 16 avril 2021 12:15:25 GMT-04:00, Leo Famulari
>> <leo <at> famulari.name> a écrit :
>>>>> On Fri, Apr 16, 2021 at 11:00:05AM +0000, bo0od wrote:
>>>>>> Scanning Guix website gave many missing security features which
>>>>> modern
>>>>>> security needs them to be available:
>>>>>>
>>>>>> * TLS and DNS:
>>>>>>
>>>>>> looking at:
>>>>>>
>>>>>> https://www.hardenize.com/report/guix.gnu.org/1618568751
>>>>>>
>>>>>> https://www.ssllabs.com/ssltest/analyze.html?d=guix.gnu.org
>>>>>
>>>>> Thanks!
>>>>>
>>>>>> - DNS: DNSSEC support missing (important)
>>>>>
>>>>> Hm, is it important? My impression is that it's an idea whose time
>> has
>>>>> passed without significant adoption.
>>>>>
>>>>> But maybe we could enable it if the costs are not too great.
>>>>
>>>> gnu.org does not have dnssec, so we'd need them to work on that
>> first.
>>>
>>> gnu.org used to have DNSSEC, but disabled it because it gave NXDOMAIN
>>> on machines with systemd-resolved:
>>>
>>>     https://github.com/systemd/systemd/issues/9867
>>>
>
This bug report was last modified 2 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.