** Description changed: - In Ubuntu Disco Dingo, bind9_9.11.5.P1+dfsg-1ubuntu2 is built --with- - eddsa=no, thus breaking DNSSEC zones using Ed25519 keys. This used to - work fine in Cosmic Cattlefish. + [Impact] + Bind9, either when acting as a resolver, or a master for a zone, does not have support for EdDSA algorithms like ED25519 or ED448. This is a regression from the package in Cosmic: this support was disabled by mistake in Disco. + + [Test Case] + * Install the packages that will be tested: + sudo apt install dnsutils bind9utils bind9 + + * Offline test. Without EDDSA support, this command will fail: + $ dnssec-keygen -a ED25519 example.com + dnssec-keygen: fatal: unsupported algorithm: 15 + + * With EDDSA support, the command will succeed: + $ dnssec-keygen -a ED25519 example.com + Generating key pair. + Kexample.com.+015+02524 + + + * Online test. Without EDDSA support, the command below will return "unsigned answer" and "no valid signature found": + $ delv +dnssec +multiline @127.0.0.1 ed25519.nl + ;; validating ed25519.nl/A: no valid signature found + ; unsigned answer + ed25519.nl. 3589 IN A 77.72.150.82 + ed25519.nl. 3200171710 IN RRSIG A 15 2 3600 ( + 20190502000000 20190411000000 27662 ed25519.nl. + f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl + nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== ) + + * With EDDSA support, it will return "fully validated": + $ delv +dnssec +multiline @127.0.0.1 ed25519.nl + ; fully validated + ed25519.nl. 3600 IN A 77.72.150.82 + ed25519.nl. 3600 IN RRSIG A 15 2 3600 ( + 20190502000000 20190411000000 27662 ed25519.nl. + f7HjJcbvekrmuLtXDzjddWJZzZAAFO6fV+NoMCg+UiIl + nQjUxNcCvDWuR38XAJuHrctvQOlAg1JmIGwYyKM2DQ== ) + + + [Regression Potential] + This change is fixing a regression already. It's adding support for a crypto algorithm used with DNSSEC which was enabled before. + + [Other Info] + EdDSA requires openssl 1.1.1, so this change will also update the dependency chain to require libssl1.1 >= 1.1.1, as opposed to just 1.1.0 as is the case in Disco at the moment (this happens automatically during build). This is also true for the udebs that are built from this package. + + [Original Description] + In Ubuntu Disco Dingo, bind9_9.11.5.P1+dfsg-1ubuntu2 is built --with-eddsa=no, thus breaking DNSSEC zones using Ed25519 keys. This used to work fine in Cosmic Cattlefish.
-- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1825712 Title: bind9 is compiled without support for EdDSA DNSSEC keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1825712/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
