Ubuntu
bind9 package

[SRU] Enable DNSTAP support

Bug #1986586 reported by Luís Infante da Câmara
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Ubuntu)
Expired
Wishlist
Unassigned

Bug Description

Upstream BIND supports DNSTAP since version 9.11 and this support is enabled in Debian, but disabled in Ubuntu because 2 required dependencies (libprotobuf-c1 and libfstrm0) are in the universe component. However, libprotobuf-c1 was recently approved for inclusion into the main component (bug #1956617), and I have filed a main inclusion report (MIR) for fstrm (bug #1986591).

DNSTAP is a feature of bind9 9.11 and up. It allows for the system to 'tap' into the DNS queries automatically log both DNS Queries and DNS Responses. This lets us actually see the behavior of DNS and what data is being returned at the server level. This replaces `dnscap` behavior by integrating the behavior directly into BIND.

This can be a useful tool for capturing and logging requests. It is not enabled by default when built with BIND9, but can be activated later by users if they wish to use it.

To enable this in BIND9, we only need to build the binaries with `--enable-dnstap` to enable dnstap support.

[Test Plan]
Run the test suites of the original and patched source packages on Ubuntu 20.04, 22.04 and Kinetic and check that there are no regressions and that all test failures are justified.

[Where problems could occur]
This can break deployments that expect that BIND 9 in Ubuntu does not provide DNSTAP support and cause regressions in other packages in the Ubuntu archive.

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in bind9 (Ubuntu):
status: New → Confirmed
Luís Infante da Câmara (luis220413)
Changed in bind9 (Ubuntu):
status: Confirmed → New
Luís Infante da Câmara (luis220413)
description: updated
description: updated
Luís Infante da Câmara (luis220413)
description: updated
Changed in bind9 (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Thomas Ward (teward)
Changed in bind9 (Ubuntu):
status: In Progress → New
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
Revision history for this message
Thomas Ward (teward) wrote :

My two cents as a developer for Ubuntu though with my coredev hat on: This SRU is premature. This functionality is *not* enabled in Kinetic (which would be a requirement - see https://wiki.ubuntu.com/StableReleaseUpdates#Procedure 3.1.). Further, this cannot be enabled in Kinetic until the MIR is completed.

However, knowing the Security team's backlog and other developers' backlogs whose job it is to handle the MIRs, it's possible the fstrm MIR will not complete before FeatureFreeze on August 25th. As a result of that, this SRU wouldn't be eligible for review until L-series.

Given however that this is not available in Kinetic, I don't believe this is ready for SRU. I won't close this bug, but I will put this info out there for the SRU team to keep in mind.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Running lintian --pedantic in the .changes file produced by a local sbuild of the patched source package produces the following warnings, other than elf-error warnings that are due to bug #1977883:
W: bind9-utils: breaks-without-version freeipa
W: bind9-doc: embedded-javascript-library usr/share/doc/bind9-doc/arm/_static/_static/doctools.js please use sphinx
W: bind9-doc: embedded-javascript-library usr/share/doc/bind9-doc/arm/_static/_static/jquery.js please use libjs-jquery
W: bind9-doc: embedded-javascript-library usr/share/doc/bind9-doc/arm/_static/_static/language_data.js please use sphinx
W: bind9-doc: embedded-javascript-library usr/share/doc/bind9-doc/arm/_static/_static/searchtools.js please use sphinx
W: bind9-doc: embedded-javascript-library usr/share/doc/bind9-doc/arm/_static/_static/underscore.js please use libjs-underscore
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libbind9-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libbind9-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libdns-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libdns-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libirs-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libirs-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libisc-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libisccc-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libisccc-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libisccfg-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libisccfg-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9-libs: lacks-unversioned-link-to-shared-library usr/lib/x86_64-linux-gnu/libns-9.18.1-1ubuntu1.2-Ubuntu.so usr/lib/x86_64-linux-gnu/libns-9.18.1-1ubuntu1.2-Ubuntu.so
W: bind9: mismatched-override systemd-service-file-refers-to-unusual-wantedby-target lib/systemd/system/named-resolvconf.service
W: bind9: systemd-service-file-refers-to-unusual-wantedby-target named.service [lib/systemd/system/named-resolvconf.service]
P: bind9-doc: repeated-path-segment _static usr/share/doc/bind9-doc/arm/_static/_static/
N: 1 hint overridden (1 warning); 1 unused override

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Mark Esler (eslerm) wrote :

Marking this as incomplete per https://bugs.launchpad.net/ubuntu/+source/fstrm/+bug/1986591

Changed in bind9 (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for bind9 (Ubuntu) because there has been no activity for 60 days.]

Changed in bind9 (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Paride Legovini (paride) wrote :

Moving this back to Incomplete, but not moving the MIR bug out of Expired state.

Changed in bind9 (Ubuntu):
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.