Ubuntu
bind9 package

Merge ~ahasenack/ubuntu/+source/bind9:disco-re-enable-eddsa-support into ubuntu/+source/bind9:ubuntu/disco-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/bind9
  3. disco-re-enable-eddsa-support
  4. Merge into ubuntu/disco-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: e5673055341ef54b1223ebc17100389148c9bcbe
Merged at revision: e5673055341ef54b1223ebc17100389148c9bcbe
Proposed branch: ~ahasenack/ubuntu/+source/bind9:disco-re-enable-eddsa-support
Merge into: ubuntu/+source/bind9:ubuntu/disco-devel
Diff against target: 48 lines (+13/-2)
2 files modified
debian/changelog (+6/-0)
debian/rules (+7/-2)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+366414@code.launchpad.net

Description of the change

PPA with testing packages: https://launchpad.net/~ahasenack/+archive/ubuntu/bind9-eddsa-1825712
sudo add-apt-repository ppa:ahasenack/bind9-eddsa-1825712

Re-enable eddsa support, which was disabled in the last merge from Debian. It will pull in openssl 1.1.1 (as opposed to just 1.1.0), and that's why it was disabled in Debian, albeit temporarily. This is a regression in Disco, and Eoan.

There are two tests that can be done: offline and online.

Offline test:
dnssec-keygen -a ED25519 example.com

That will fail with bind9 builds that do not have eddsa support.

Online test:
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
; fully validated
ed25519.nl. 3600 IN A 77.72.150.82
ed25519.nl. 3600 IN RRSIG A 15 2 3600 (
    20190502000000 20190411000000 27662 ed25519.nl.
    f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl
    nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== )

It will either say "fully validated", as is the case above with a build that has eddsa support, or:
$ delv +dnssec +multiline @127.0.0.1 ed25519.nl
;; validating ed25519.nl/A: no valid signature found
; unsigned answer
ed25519.nl. 3600 IN A 77.72.150.82
ed25519.nl. 3200171710 IN RRSIG A 15 2 3600 (
    20190502000000 20190411000000 27662 ed25519.nl.
    f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl
    nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== )

it will say "unsigned answer" and "no valid signature found".

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Checked the bug, tests and SRU template - all LGTM

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

A few more comments on the Eoan MP

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

As with the Eoan MP +1 on this.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Updated to match the eoan changes

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Debian bug about re-enabling eddsa support: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927962

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I added a comment to d/rules, explaining how --with-eddsa works and its implications.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Re-Reviewed, thanks for adding the comments.
+1 on the Disco upload once Eoan (I acked that one this morning) is completed.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Waiting for Eoan to migrate, then I'll upload this one.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Eoan migration done. Tagged and uploaded to disco:

$ git push pkg upload/1%9.11.5.P1+dfsg-1ubuntu2.4
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 4 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.20 KiB | 47.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.11.5.P1+dfsg-1ubuntu2.4 -> upload/1%9.11.5.P1+dfsg-1ubuntu2.4

$ dput ubuntu ../bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes
Checking signature on .changes
gpg: ../bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.11.5.P1+dfsg-1ubuntu2.4.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4.dsc: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4.debian.tar.xz: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.buildinfo: done.
  Uploading bind9_9.11.5.P1+dfsg-1ubuntu2.4_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index adc178c..6e988f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
1bind9 (1:9.11.5.P1+dfsg-1ubuntu2.4) disco; urgency=medium
2
3 * d/rules: add back EdDSA support (LP: #1825712)
4
5 -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:20:00 +0000
6
1bind9 (1:9.11.5.P1+dfsg-1ubuntu2.3) disco-security; urgency=medium7bind9 (1:9.11.5.P1+dfsg-1ubuntu2.3) disco-security; urgency=medium
28
3 * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective9 * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
diff --git a/debian/rules b/debian/rules
index 1a22081..905a1da 100755
--- a/debian/rules
+++ b/debian/rules
@@ -76,6 +76,13 @@ override_dh_autoreconf: prepare_native_pkcs11 prepare_version
7676
77override_dh_auto_configure:77override_dh_auto_configure:
78 debian/checkapi78 debian/checkapi
79 # Behavior of --with-eddsa:
80 # yes: enables it for openssl and pkcs11
81 # no: disables it for openssl and pkcs11
82 # auto, or absent: enables it for openssl if supported, disables
83 # it for pkcs11
84 # EDDSA requires openssl 1.1.1 or later.
85 # If EDDSA is enabled, extra symbols will appear in libdns110x.
79 dh_auto_configure -B build -- \86 dh_auto_configure -B build -- \
80 --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \87 --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
81 --sysconfdir=/etc/bind \88 --sysconfdir=/etc/bind \
@@ -101,7 +108,6 @@ override_dh_auto_configure:
101 --enable-native-pkcs11 \108 --enable-native-pkcs11 \
102 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \109 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
103 --with-randomdev=/dev/urandom \110 --with-randomdev=/dev/urandom \
104 --with-eddsa=no \
105 $(EXTRA_FEATURES)111 $(EXTRA_FEATURES)
106 dh_auto_configure -B build-udeb -- \112 dh_auto_configure -B build-udeb -- \
107 --sysconfdir=/etc/bind \113 --sysconfdir=/etc/bind \
@@ -120,7 +126,6 @@ override_dh_auto_configure:
120 --enable-shared \126 --enable-shared \
121 --with-libtool \127 --with-libtool \
122 --with-gssapi=no \128 --with-gssapi=no \
123 --with-eddsa=no \
124 --libdir=/lib/$(DEB_HOST_MULTIARCH) \129 --libdir=/lib/$(DEB_HOST_MULTIARCH) \
125 --includedir=/usr/include/bind-export130 --includedir=/usr/include/bind-export
126 sh debian/apply-export-patch131 sh debian/apply-export-patch

Subscribers

People subscribed via source and target branches