Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:disco-re-enable-eddsa-support into ubuntu/+source/bind9:ubuntu/disco-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. disco-re-enable-eddsa-support
  4. Merge into ubuntu/disco-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: e5673055341ef54b1223ebc17100389148c9bcbe
Merged at revision: e5673055341ef54b1223ebc17100389148c9bcbe
Proposed branch: ~ahasenack/ubuntu/+source/bind9:disco-re-enable-eddsa-support
Merge into: ubuntu/+source/bind9:ubuntu/disco-devel
Diff against target: 48 lines (+13/-2)
2 files modified
debian/changelog (+6/-0)
debian/rules (+7/-2)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+366414@code.launchpad.net

Description of the change

PPA with testing packages: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-eddsa-1825712
sudo add-apt-repository ppa:ahasenack/bind9-eddsa-1825712

Re-enable eddsa support, which was disabled in the last merge from Debian. It will pull in openssl 1.1.1 (as opposed to just 1.1.0), and that's why it was disabled in Debian, albeit temporarily. This is a regression in Disco, and Eoan.

There are two tests that can be done: offline and online.

Offline test:
dnssec-keygen -a ED25519 example.com

That will fail with bind9 builds that do not have eddsa support.

Online test:
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
; fully validated
ed25519.nl. 3600 IN A 77.72.150.82
ed25519.nl. 3600 IN RRSIG A 15 2 3600 (
    20190502000000 20190411000000 27662 ed25519.nl.
    f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl
    nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== )

It will either say "fully validated", as is the case above with a build that has eddsa support, or:
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
;; validating ed25519.nl/A: no valid signature found
; unsigned answer
ed25519.nl. 3600 IN A 77.72.150.82
ed25519.nl. 3200171710 IN RRSIG A 15 2 3600 (
    20190502000000 20190411000000 27662 ed25519.nl.
    f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl
    nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== )

it will say "unsigned answer" and "no valid signature found".

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Checked the bug, tests and SRU template - all LGTM

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

A few more comments on the Eoan MP

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As with the Eoan MP +1 on this.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Updated to match the eoan changes

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Debian bug about re-enabling eddsa support: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927962

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I added a comment to d/rules, explaining how --with-eddsa works and its implications.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Re-Reviewed, thanks for adding the comments.
+1 on the Disco upload once Eoan (I acked that one this morning) is completed.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Waiting for Eoan to migrate, then I'll upload this one.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Eoan migration done. Tagged and uploaded to disco:

$ git push pkg upload/1%9.11.5.P1+dfsg-1ubuntu2.4
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 4 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.20 KiB | 47.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.11.5.P1+dfsg-1ubuntu2.4 -> upload/1%9.11.5.P1+dfsg-1ubuntu2.4

$ dput ubuntu ../bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes
Checking signature on .changes
gpg: ../bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.11.5.P1+dfsg-1ubuntu2.4.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4.dsc: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4.debian.tar.xz: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.buildinfo: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index adc178c..6e988f7 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,9 @@
6+bind9 (1:9.11.5.P1+dfsg-1ubuntu2.4) disco; urgency=medium
7+
8+ * d/rules: add back EdDSA support (LP: #1825712)
9+
10+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:20:00 +0000
11+
12 bind9 (1:9.11.5.P1+dfsg-1ubuntu2.3) disco-security; urgency=medium
13
14 * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
15diff --git a/debian/rules b/debian/rules
16index 1a22081..905a1da 100755
17--- a/debian/rules
18+++ b/debian/rules
19@@ -76,6 +76,13 @@ override_dh_autoreconf: prepare_native_pkcs11 prepare_version
20
21 override_dh_auto_configure:
22 debian/checkapi
23+ # Behavior of --with-eddsa:
24+ # yes: enables it for openssl and pkcs11
25+ # no: disables it for openssl and pkcs11
26+ # auto, or absent: enables it for openssl if supported, disables
27+ # it for pkcs11
28+ # EDDSA requires openssl 1.1.1 or later.
29+ # If EDDSA is enabled, extra symbols will appear in libdns110x.
30 dh_auto_configure -B build -- \
31 --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
32 --sysconfdir=/etc/bind \
33@@ -101,7 +108,6 @@ override_dh_auto_configure:
34 --enable-native-pkcs11 \
35 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
36 --with-randomdev=/dev/urandom \
37- --with-eddsa=no \
38 $(EXTRA_FEATURES)
39 dh_auto_configure -B build-udeb -- \
40 --sysconfdir=/etc/bind \
41@@ -120,7 +126,6 @@ override_dh_auto_configure:
42 --enable-shared \
43 --with-libtool \
44 --with-gssapi=no \
45- --with-eddsa=no \
46 --libdir=/lib/$(DEB_HOST_MULTIARCH) \
47 --includedir=/usr/include/bind-export
48 sh debian/apply-export-patch

Subscribers

People subscribed via source and target branches