bind9 is compiled without support for EdDSA DNSSEC keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
bind9 (Ubuntu) |
Fix Released
|
Medium
|
Andreas Hasenack | ||
Bionic |
Triaged
|
Wishlist
|
Unassigned | ||
Disco |
Fix Released
|
Medium
|
Andreas Hasenack |
Bug Description
[Impact]
Bind9, either when acting as a resolver, or a master for a zone, does not have support for EdDSA algorithms like ED25519 or ED448. This is a regression from the package in Cosmic: this support was disabled by mistake in Disco.
[Test Case]
* Install the packages that will be tested:
sudo apt install dnsutils bind9utils bind9
* Offline test. Without EDDSA support, this command will fail:
$ dnssec-keygen -a ED25519 example.com
dnssec-keygen: fatal: unsupported algorithm: 15
* With EDDSA support, the command will succeed:
$ dnssec-keygen -a ED25519 example.com
Generating key pair.
Kexample.
* Online test. Without EDDSA support, the command below will return "unsigned answer" and "no valid signature found":
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
;; validating ed25519.nl/A: no valid signature found
; unsigned answer
ed25519.nl. 3589 IN A 77.72.150.82
ed25519.nl. 3200171710 IN RRSIG A 15 2 3600 (
20190502000000 20190411000000 27662 ed25519.nl.
f7HjJcbvekr
nQjUxNcCvDW
* With EDDSA support, it will return "fully validated":
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
; fully validated
ed25519.nl. 3600 IN A 77.72.150.82
ed25519.nl. 3600 IN RRSIG A 15 2 3600 (
20190502000000 20190411000000 27662 ed25519.nl.
f7HjJcbvekr
nQjUxNcCvDW
[Regression Potential]
This change is fixing a regression already. It's adding support for a crypto algorithm used with DNSSEC which was enabled before.
[Other Info]
EdDSA requires openssl 1.1.1, so this change will also update the dependency chain to require libssl1.1 >= 1.1.1, as opposed to just 1.1.0 as is the case in Disco at the moment (this happens automatically during build). This is also true for the udebs that are built from this package.
[Original Description]
In Ubuntu Disco Dingo, bind9_9.
Related branches
- git-ubuntu developers: Pending requested
-
Diff: 63 lines (+17/-2)3 files modifieddebian/changelog (+9/-0)
debian/libdns1100.symbols (+1/-0)
debian/rules (+7/-2)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 48 lines (+13/-2)2 files modifieddebian/changelog (+6/-0)
debian/rules (+7/-2)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 48 lines (+13/-2)2 files modifieddebian/changelog (+6/-0)
debian/rules (+7/-2)
Changed in bind9 (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in bind9 (Ubuntu Disco): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
description: | updated |
tags: | added: server-next |
tags: | removed: server-next |
Changed in bind9 (Ubuntu Bionic): | |
assignee: | Andreas Hasenack (ahasenack) → nobody |
Thanks for filing this bug in Ubuntu.
You are right, this should have been enabled back.