Ubuntu
bind9 package

dig compiled without -DDIG_SIGCHASE!

Bug #257682 reported by Ted Lemon
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Fix Released
Undecided
LaMont Jones
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: dnsutils

I'm trying to validate my DNSSEC zone signatures using dig. To do this I need to use the +sigchase flag to dig. When I do so, this is what I see:

toccata% dig +sigchase +dnssec DS fugue.se.
Invalid option: +sigchase
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options
toccata%

I think what's going on here is that dig has not been compiled with the -DDIG_SIGCHASE option.

Given all the excitement recently with Dan Kaminsky's DNS bug, I think the ability to check DNSSEC signatures is now a requirement, not something that should be optional. Dig is a debugging tool for DNS administrators, and in order for us to debug our DNSSEC installations, we need dig to be able to verify signatures.

toccata% lsb_release -rd
Description: Ubuntu 8.04.1
Release: 8.04
toccata% apt-cache policy dnsutils
dnsutils:
  Installed: 1:9.4.2-10ubuntu0.1
  Candidate: 1:9.4.2-10ubuntu0.1
  Version table:
 *** 1:9.4.2-10ubuntu0.1 0
        500 http://us.archive.ubuntu.com hardy-updates/main Packages
        500 http://security.ubuntu.com hardy-security/main Packages
        100 /var/lib/dpkg/status
     1:9.4.2-10 0
        500 http://us.archive.ubuntu.com hardy/main Packages
toccata%

LaMont Jones (lamont)
Changed in bind9:
assignee: nobody → lamont
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

I assume this is fixed in Intrepid's 1:9.5.0.dfsg.P2-1ubuntu2, since it was fixed upstream in 1:9.4.2.dfsg.P2.

Changed in bind9:
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

bug 279316 has more information about the Hardy SRU.

Changed in bind9:
status: New → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message
Martin Pitt (pitti) wrote :

This needs to be tested thoroughly, the diff is not exactly small.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Today I noticed that libdns35 ended up in universe:

Get:1 http://archive.ubuntu.com hardy-proposed/main libisc35 1:9.4.2.dfsg.P2-2 [139kB]
Get:2 http://archive.ubuntu.com hardy-proposed/main bind9 1:9.4.2.dfsg.P2-2 [283kB]
Get:3 http://archive.ubuntu.com hardy-proposed/main libisccc30 1:9.4.2.dfsg.P2-2 [24.9kB]
Get:4 http://archive.ubuntu.com hardy-proposed/main libisccfg30 1:9.4.2.dfsg.P2-2 [44.9kB]
Get:5 http://archive.ubuntu.com hardy-proposed/main liblwres30 1:9.4.2.dfsg.P2-2 [43.0kB]
Get:6 http://archive.ubuntu.com hardy-proposed/universe libdns35 1:9.4.2.dfsg.P2-2 [550kB]
Get:7 http://archive.ubuntu.com hardy-proposed/main libbind9-30 1:9.4.2.dfsg.P2-2 [27.4kB]
Get:8 http://archive.ubuntu.com hardy-proposed/main bind9-host 1:9.4.2.dfsg.P2-2 [60.2kB]
Get:9 http://archive.ubuntu.com hardy-proposed/main dnsutils 1:9.4.2.dfsg.P2-2 [144kB]
Get:10 http://archive.ubuntu.com hardy-proposed/main bind9-doc 1:9.4.2.dfsg.P2-2 [240kB]

While this is ok (I guess) for testing hardy-proposed, this will need to be adjusted when going to hardy-updates.

Revision history for this message
Martin Pitt (pitti) wrote :

Ah, sorry. I moved libisc35, but missed libdns35. Fixed now.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I've been running 1:9.4.2.dfsg.P2-2 for several days on low volume servers and everything works fine. sigchase also now works.

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in bind9:
status: Fix Committed → Fix Released
Revision history for this message
Anderson (amg1127) wrote :

This bug needs to be fixed in Intrepid, also!

# dig +sigchase
Invalid option: +sigchase
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.10
Release: 8.10
Codename: intrepid

# apt-cache policy dnsutils
dnsutils:
  Instalado: 1:9.5.0.dfsg.P2-1ubuntu3.1
  Candidato: 1:9.5.0.dfsg.P2-1ubuntu3.1
  Tabela de versão:
 *** 1:9.5.0.dfsg.P2-1ubuntu3.1 0
        500 http://debs.cefetrs.tche.br intrepid-security/main Packages
        500 http://debs.cefetrs.tche.br intrepid-updates/main Packages
        500 http://security.ubuntu.com intrepid-updates/main Packages
        500 http://security.ubuntu.com intrepid-security/main Packages
        500 http://archive.ubuntu.com intrepid-security/main Packages
        500 http://archive.ubuntu.com intrepid-updates/main Packages
        100 /var/lib/dpkg/status
     1:9.5.0.dfsg.P2-1ubuntu2 0
        500 http://debs.cefetrs.tche.br intrepid/main Packages
        500 http://security.ubuntu.com intrepid/main Packages
        500 http://archive.ubuntu.com intrepid/main Packages

Revision history for this message
Anderson (amg1127) wrote :

This bug is still present in Intrepid (but not in Hardy, nor in Jaunty).

Changed in bind9:
status: Fix Released → New
Revision history for this message
Anderson (amg1127) wrote :

Wrong selection. Sorry...

Changed in bind9:
status: New → Fix Released
Revision history for this message
Chuck Short (zulcss) wrote :

Closing this SRU request based on the fact Intrepid has reached EOL.

Changed in bind9 (Ubuntu Intrepid):
status: New → Won't Fix
Revision history for this message
Mike van Stijn (shadow07) wrote :

This bug seems to be back in Ubuntu 16.04

# dig +sigchase
Invalid option: +sigchase
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]

Use "dig -h" (or "dig -h | more") for complete list of options

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

# apt-cache policy dnsutils
dnsutils:
  Installiert: 1:9.10.3.dfsg.P4-8ubuntu1.4
  Installationskandidat: 1:9.10.3.dfsg.P4-8ubuntu1.4
  Versionstabelle:
 *** 1:9.10.3.dfsg.P4-8ubuntu1.4 500
        500 http://de.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
        100 /var/lib/dpkg/status
     1:9.10.3.dfsg.P4-8 500
        500 http://de.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.