Ubuntu
bind9 package

Merge ~sergiodj/ubuntu/+source/bind9:bind9-eddsa-dnssec-bug1825712 into ubuntu/+source/bind9:ubuntu/bionic-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/bind9
  3. bind9-eddsa-dnssec-bug1825712
  4. Merge into ubuntu/bionic-devel
Proposed by Sergio Durigan Junior
Status: Work in progress
Proposed branch: ~sergiodj/ubuntu/+source/bind9:bind9-eddsa-dnssec-bug1825712
Merge into: ubuntu/+source/bind9:ubuntu/bionic-devel
Diff against target: 63 lines (+17/-2)
3 files modified
debian/changelog (+9/-0)
debian/libdns1100.symbols (+1/-0)
debian/rules (+7/-2)
Reviewer Review Type Date Requested Status
git-ubuntu developers Pending
Review via email: mp+390274@code.launchpad.net

Description of the change

This is the fix of https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1825712 for bionic (the last missing Ubuntu release).

The rationale is the same as for the other releases. Also, there was a lot of discussion happening between Andreas and Christian in the other two MPs, so I'm linking them here:

https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/366414

https://code.launchpad.net/~ahasenack/ubuntu/+source/bind9/+git/bind9/+merge/366410

In the bug, comment #14, Andreas mentioned:

"It's a valid request, I'm just not sure if the version of bind in bionic is good enough for this support. I vaguely remember reading somewhere that certain encryption types were not working well in certain versions of bind9 (sorry, very vague, I know). Because of that I'm confirming the bug, but this would have to be investigated."

After investigating whether there is indeed such a problem with bind9 on bionic, I could not find anything that might prevent us from enabling EdDSA support there. I did find something interesting that Debian did, though: they decided to enable EdDSA, but disable Ed448. I'm choosing not to do that for now, because I think that would be somewhat orthogonal to this change, but I am getting in touch with Ondřej Surý to make sure that this won't bite us down the road.

The package doesn't have dep8 tests, but I did a PPA build:

https://launchpad.net/~sergiodj/+archive/ubuntu/bind9-bug1825712

installed it in a bionic lxd, and performed the "Test Case" instructions from the original bug. Everything is working OK.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I'm leaving this as a WIP until I decide what to do with the Ed448 support.

Reply

Unmerged commits

4ec6403... by Sergio Durigan Junior

changelog for 1:9.11.3+dfsg-1ubuntu1.14

5d12d7f... by Sergio Durigan Junior

  * d/libdns1100.symbols: Add dst__openssleddsa_init@Base.
  * d/rules: add back EdDSA support (LP: #1825712)
    [ Thanks to Andreas Hasenack for the original commit on Eoan and
      Disco. ]

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 0f34694..dbd16d2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1bind9 (1:9.11.3+dfsg-1ubuntu1.14) bionic; urgency=medium
2
3 * d/libdns1100.symbols: Add dst__openssleddsa_init@Base.
4 * d/rules: add back EdDSA support (LP: #1825712)
5 [ Thanks to Andreas Hasenack for the original commit on Eoan and
6 Disco. ]
7
8 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Thu, 03 Sep 2020 17:31:51 -0400
9
1bind9 (1:9.11.3+dfsg-1ubuntu1.13) bionic-security; urgency=medium10bind9 (1:9.11.3+dfsg-1ubuntu1.13) bionic-security; urgency=medium
211
3 * SECURITY UPDATE: A truncated TSIG response can lead to an assertion12 * SECURITY UPDATE: A truncated TSIG response can lead to an assertion
diff --git a/debian/libdns1100.symbols b/debian/libdns1100.symbols
index 62f8991..f5c9fbb 100644
--- a/debian/libdns1100.symbols
+++ b/debian/libdns1100.symbols
@@ -2983,6 +2983,7 @@ libdns.so.1100 libdns1100 #MINVER#
2983 dst__openssldh_init@Base 1:9.11.3+dfsg2983 dst__openssldh_init@Base 1:9.11.3+dfsg
2984 dst__openssldsa_init@Base 1:9.11.3+dfsg2984 dst__openssldsa_init@Base 1:9.11.3+dfsg
2985 dst__opensslecdsa_init@Base 1:9.11.3+dfsg2985 dst__opensslecdsa_init@Base 1:9.11.3+dfsg
2986 dst__openssleddsa_init@Base 1:9.11.3+dfsg
2986 dst__opensslrsa_init@Base 1:9.11.3+dfsg2987 dst__opensslrsa_init@Base 1:9.11.3+dfsg
2987 dst__privstruct_free@Base 1:9.11.3+dfsg2988 dst__privstruct_free@Base 1:9.11.3+dfsg
2988 dst__privstruct_parse@Base 1:9.11.3+dfsg2989 dst__privstruct_parse@Base 1:9.11.3+dfsg
diff --git a/debian/rules b/debian/rules
index 7a96e56..efea2fc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -65,6 +65,13 @@ clean_native_pkcs11:
65override_dh_autoreconf: prepare_native_pkcs1165override_dh_autoreconf: prepare_native_pkcs11
66 dh_autoreconf66 dh_autoreconf
6767
68# Behavior of --with-eddsa:
69# yes: enables it for openssl and pkcs11
70# no: disables it for openssl and pkcs11
71# auto, or absent: enables it for openssl if supported, disables
72# it for pkcs11
73# EDDSA requires openssl 1.1.1 or later.
74# If EDDSA is enabled, extra symbols will appear in libdns110x.
68override_dh_auto_configure:75override_dh_auto_configure:
69 dh_auto_configure -B build -- \76 dh_auto_configure -B build -- \
70 --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \77 --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
@@ -90,7 +97,6 @@ override_dh_auto_configure:
90 --enable-native-pkcs11 \97 --enable-native-pkcs11 \
91 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \98 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
92 --with-randomdev=/dev/urandom \99 --with-randomdev=/dev/urandom \
93 --with-eddsa=no \
94 $(EXTRA_FEATURES)100 $(EXTRA_FEATURES)
95 dh_auto_configure -B build-udeb -- \101 dh_auto_configure -B build-udeb -- \
96 --sysconfdir=/etc/bind \102 --sysconfdir=/etc/bind \
@@ -109,7 +115,6 @@ override_dh_auto_configure:
109 --enable-shared \115 --enable-shared \
110 --with-libtool \116 --with-libtool \
111 --with-gssapi=no \117 --with-gssapi=no \
112 --with-eddsa=no \
113 --libdir=/lib/$(DEB_HOST_MULTIARCH) \118 --libdir=/lib/$(DEB_HOST_MULTIARCH) \
114 --includedir=/usr/include/bind-export119 --includedir=/usr/include/bind-export
115 sh debian/apply-export-patch120 sh debian/apply-export-patch

Subscribers

People subscribed via source and target branches