*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
@Dan - now I saw your update - that might have shortened my dnssec trip :-)
It indeed is a duplicate of that - marking as such.
** This bug has been marked a duplicate of bug 1897744
VerifyHostKeyDNS
*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
Summary:
- we understand what happened
- we have a workaround for users by changing a config
- we have a systemd change that can be considered to be backported by the
systemd package maintainers
** Tags
*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
TL;DR:
one affected by this upgrade triggered behavior change needs to set
options edns0 trust-ad
in /etc/resolv.conf to fix the issue.
And as usual, once you already know what things are about - then
*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
ok up/downgrading just "libc6" is enough to trigger.
I also found that libc6 from Eoan version 2.30-0ubuntu2.2 is good.
So it is new in 2.31!
The changelog mentions soem DNSSEC
As a first step I tried to make sure this actually is a change in openssh.
Because my reading of the issues referred above has shown that not all of the
verification is done inside ssh but partially in glibc.
So I upgraded on the bionic test system step by step.
The upgrade dependency list for
Something helpful for anyone looking into this later I found what seems
a good testcase without requiring too much a local setup (of a dnssec
dns server):
To get unbound (brute force) do:
apt install unbound
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo
Turns out this seems to be a never ending story and you might have found
a comeback of that issue for your particular configuration as you say
this worked on 18.04 but fails on 20.04.
This goes way back
https://bugzilla.mindrot.org/show_bug.cgi?id=1455
Or half way back
this is likely a dup of bug 1897744
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not working
Status in openssh package in
** Tags added: server-next
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not working
Status in openssh package in Ubuntu:
New
The DNS queries captured with wireshark ssh to unbound and unbound to
world looking correct and allways the AD flag in the responses is set.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
With @localhost as parameter it will use the local resolver.
Local resolver is unbound. The cr** systemd resolver is disabled.
Configuration is exactly same like on another machine where it is working like
expected.
Only difference: Ubuntu 18.04 instead of 20.04.
On 18.04
debug1: found 3 secure
Hello, dig will do dns lookups itself, it doesn't rely on the host
resolver configuration. Does your host resolver configuration support
dnssec? It might be worth using tcpdump or tshark or wireshark to see if
the queries are properly formed, and if the replies are correct.
Thanks
--
You
ssh version is OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar
2020
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not
13 matches
Mail list logo
