Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.
At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.
Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.
(Score: 3, Informative) by LoRdTAW on Thursday November 13 2014, @01:02PM
It's a chicken or the egg problem. As another poster mentioned, they are moving towards a managed service system like Windows svchost. The problem though, is if you make a switch to such a radically different service manager, where do the daemons come from?
And this is why systemd has to reinvent the wheel and reimplement so many services that already exist under linux. In order for there to be a useful systemd they have to write systemd services. Everyone still thinks it is simply trying to be a PID1 and init system, it isn't. It is a entire suite of replacement daemons and one process to rule them all.
A comparison: If you use Windows go to control panel and administrative tools. Then open services. Pretend services is systemd and all the services listed within are systemd-daemons. That is exactly what systemd is and what is wants to become.
Have a look at the opening summary for svchost on wikipedia (https://en.wikipedia.org/wiki/Svchost.exe [wikipedia.org]):
I am not pretending to be an OS expert, but just the opening of the article makes the idea of systemd sound silly.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:15PM
Those who don't understand UNIX^W Linux are doomed to re-invent it--poorly.
-- gewg_
(Score: 2) by LoRdTAW on Friday November 14 2014, @05:25PM
Actually, it should read:
Those who do not understand Windows are condemned to reinvent it, poorly.