Package: dnssec-trigger Version: 0.15+repack-1 Severity: important I have two existing installations of dnssec-trigger that have 1536-bit client and server keys. I'm using the OpenSSL from experimental, which rejects keys of less than 2048 bits in size, as they are presently considered too weak. Consequently, dnssec-trigger fails to start:
May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 dnssec-triggerd[721856] error: Error for server-cert-file: /etc/dnssec-trigger/dnssec_trigger_server.pem May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 dnssec-triggerd[721856] error: Error in SSL_CTX use_certificate_file crypto error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 dnssec-triggerd[721856] error: cannot setup SSL context May 18 01:16:15 genre dnssec-triggerd[721856]: May 18 01:16:15 dnssec-triggerd[721856] fatal error: could not init server I noticed the current version of dnssec-trigger uses 3072 bit keys. To ensure upgrades continue to work, dnssec-trigger probably needs to regenerate the keys if they are too small. As a potentially relevant note, I noticed the dnssec-triggerd-keygen.service creates the keys in /etc, not /etc/dnssec-trigger. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dnssec-trigger depends on: ii gir1.2-nm-1.0 1.10.8-1 ii libc6 2.27-3 ii libgdk-pixbuf2.0-0 2.36.11-2 ii libglib2.0-0 2.56.1-2 ii libgtk2.0-0 2.24.32-1 ii libldns2 1.7.0-3+b1 ii libssl1.1 1.1.1~~pre6-2 ii python3 3.6.5-3 ii python3-gi 3.28.2-1 ii python3-lockfile 1:0.12.2-2 ii unbound 1.6.7-1 dnssec-trigger recommends no packages. dnssec-trigger suggests no packages. -- Configuration Files: /etc/dnssec-trigger/dnssec-trigger.conf changed: url: "http://fedoraproject.org/static/hotspot.txt OK" url: "http://ster.nlnetlabs.nl/hotspot.txt OK" tcp80: 185.49.140.67 tcp80: 2a04:b900::10:0:0:67 ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF -- no debconf information -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature