The mentioned fixes hit kernel 5.15:
This attack would be history once and for ever if DNSSEC was widely deployed… sigh…
Forgive me if I sound ignorant, but how does one ensure DNSSEC and a BIND-RPZ co-exist? RPZs are widely used to return NXDOMAIN to any DNS lookup for ad/tracking networks on a lot of private/VPN networks.
In this case, the recursive resolver could resolve domains and check their DNSSEC signature. But you could connect to your recursive resolver using DNS over TLS and remove the DNSSEC signatures, which is supported by systemd-resolved.
If it’s unclear, here is an example how it would work:
If the domain is blocked, 192.0.2.1 replies NXDOMAIN right away.
title: Linux has a serious security problem that once again enables DNS cache poisoning
I wonder if someone got back to whoever originally worded it and said “hey, maybe using that phrase when mentioning a relatively recently deceased person is bad form”.
This is a fair point: I know Ars also regularly A/B test headlines so it’s also possible this is the title in their CMS but that headline never officially made the cut. Potentially worth pointing out to editorial staff in the comments?