Ubuntu
dns-root-data package

[MIR] dns-root-data

Bug #1426460 reported by Oleg Strikov on 2015-02-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dns-root-data (Ubuntu)
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Package provides centralized version of DNS root data including root zone and DNSSEC key
Package provides information available at https://data.iana.org/root-anchors/ and http://www.internic.net/domain/named.root together with some derived bytes
This is data-only package: http://packages.ubuntu.com/vivid/all/dns-root-data/filelist

== Availability ==
In universe

== Rationale ==
New dependency (recommends) for dnsmasq-base

Dnsmasq doesn't provide DNSSEC functionality by default but if you enable it via /etc/dnsmasq.conf you have two options:

If dns-root-data package is installed dnsmasq uses /usr/share/dns/root.ds provided by this package as --trust-anchor

If dns-root-data package is not installed -- you need to uncomment 'conf-file=/usr/share/dnsmasq/trust-anchors.conf' line in /etc/dnsmasq.conf to ask dnsmasq to use its own trust anchor stored inside /usr/share/dnsmasq/trust-anchors.conf

Right now both anchors are the same.

It means that we have two options:
(a) drop 'recommends' to 'suggests' -- dnsmasq will use its own trust-anchor all the time
(b) include dns-root-data into main and keep it 'recommends'

While (a) is simpler, there are some arguments for (b) as well:
(1) some other packages may start using dns-root-data in the near future (see bug opened for bind9: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760459)
(2) when and if dnssec keys will be changed it's much simpler to update them in a single place than to provide deltas to all depending packages

I would appreciate any input on which option to choose.

== Security ==
No CVE's found:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dns-root-data
http://secunia.com/advisories/search/?search=dns-root-data
http://people.canonical.com/~ubuntu-security/cve/universe.html

Package is about public keys / certificates used to verify validity of DNSSEC signatures.
Special attention of security team might be needed.

== QA ==
Package works out of the box (data-only package) with no prompting

There is no major bugs in Ubuntu:
https://launchpad.net/ubuntu/+source/dns-root-data/+bugs

There is no major bugs in Debian (just a single wishlist bug):
https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=dns-root-data

No testsuite provided (seems to be okay for data-only package)

The package is maintained well in Debian by Ondřej Surý:
https://packages.qa.debian.org/d/dns-root-data.html

The package provides debian/README.source

== Dependencies ==
Package has no dependencies

== Standards Compliance ==
FHS compliant
Debian Policy compliant (package is compliant to Debian Policy 3.9.5 not the latest 3.9.6)

== Maintenance ==
Can be synced with Debian
Server team will own the package

See original description
Oleg Strikov (strikov) on 2015-02-27
description: updated
Michael Terry (mterry) wrote :

Well, (a) isn't entirely accurate. If this package is a Suggests, the user can still get the third-party data, they just have to install it themselves. And the user has to manually edit a config file before this is even an issue, yes?

Seems weird to force this package installation on everyone just in case a user edits the config to want it.

But I'm very sympathetic to the argument that we want one copy of this data shared between packages. I'll pass to security team to see if they have an opinion of any sort on this package.

From a maintainer point of view, the only issue with this package is that it doesn't have a team bug subscriber. Might that be the security team?

Changed in dns-root-data (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Oleg Strikov (strikov) wrote :

Hi Michael,

Thanks for your comments and your point abount inconsistency in the MIR decription.
It seems to me that you read between the lines and got me correctly.
But to avoid any other confusion I want to tell the whole story about config options.

(1) by default dnssec is disabled and no anchors are needed at all

(2) to enable dnssec capability in dnsmasq you need to put 'dnssec' option into /etc/dnsmasq.conf

If you have dnssec enabled you have two options:

(1) if dns-root-data package is installed -- dnsmasq uses its anchors automatically:

/etc/init.d/dnsmasq:
<...>
# If the dns-root-data package is installed, then the trust anchors will be
# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
# --trust-anchor options.

ROOT_DS="/usr/share/dns/root.ds"

if [ -f $ROOT_DS ]; then
   DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`"
fi
<...>

(2) if dns-root-data package is not installed but 'dnssec' option is enabled -- you'll get an error:

dnsmasq[2623]: No trust anchors provided for DNSSEC

To deal with this error you need to put the following line into /etc/dnsmasq.conf as well:
conf-file=/usr/share/dnsmasq-base/trust-anchors.conf
By putting this line into config we force dnsmasq to use its own anchors which are installed by dnsmasq-base package.
You may put a path to your own anchors as well.

Bottom line:
We can live without dns-root-data installed.
It's just a good way to centralize important security data in one place which might be useful.

Adam Conrad (adconrad) wrote :

I'm going to promote this one to main, based on a cursory review. We just need the server team to subscribe to bugs, but that can happen out of sync.

Changed in dns-root-data (Ubuntu):
status: New → Fix Released
assignee: Ubuntu Security Team (ubuntu-security) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers