*** This bug is a duplicate of bug 1897744 ***
https://bugs.launchpad.net/bugs/1897744
ok up/downgrading just "libc6" is enough to trigger.
I also found that libc6 from Eoan version 2.30-0ubuntu2.2 is good.
So it is new in 2.31!
The changelog mentions soem DNSSEC
https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html
"* The DNS stub resolver will optionally send the AD (authenticated
data) bit in queries if the trust-ad option is set via the options
directive in /etc/resolv.conf (or if RES_TRUSTAD is set in
_res.options). In this mode, the AD bit, as provided by the name
server, is available to applications which call res_search and
related functions. In the default mode, the AD bit is not set in
queries, and it is automatically cleared in responses, indicating a
lack of DNSSEC validation. (Therefore, the name servers and the
network path to them are treated as untrusted.)"
Once I knew that it was a small step and I found that
options edns0 trust-ad
in /etc/resolv.conf indeed fixes the issue.
I'm not sure if openssh would be entitled to set RES_TRUSTAD is set in
_res.options.
Maybe not as that is more a decision of the admin setting up and configuring
the system than the openssh software.
Therefore I think this is actually a little detail that upgraders that
use dnssec for openssh (and maybe others) via libc6 resolv need to
consider.
** Bug watch added: Debian Bug tracker #960023
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023
** Also affects: openssh (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023
Importance: Unknown
Status: Unknown
** Bug watch added: github.com/systemd/systemd/issues #15767
https://github.com/systemd/systemd/issues/15767
** Also affects: systemd via
https://github.com/systemd/systemd/issues/15767
Importance: Unknown
Status: Unknown
** Also affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Changed in: systemd (Ubuntu)
Status: New => Fix Released
** Also affects: glibc (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: openssh (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: systemd (Ubuntu Focal)
Importance: Undecided
Status: New
** No longer affects: glibc (Ubuntu Focal)
** Changed in: openssh (Ubuntu)
Status: Confirmed => Invalid
** No longer affects: openssh (Ubuntu Focal)
** Changed in: glibc (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1898590
Title:
Verify DNS fingerprints not working
Status in systemd:
Unknown
Status in glibc package in Ubuntu:
Invalid
Status in openssh package in Ubuntu:
Invalid
Status in systemd package in Ubuntu:
Fix Released
Status in systemd source package in Focal:
New
Status in openssh package in Debian:
Unknown
Bug description:
When setting in /etc/ssh/ssh_config VerifyHostKeyDNS to yes the fingerprints
are fetched, but the result is always:
debug1: found n insecure fingerprints in DNS
With dig +dnssec -tsshfp hostname the result is ok: ad flg is set.
To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1898590/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
