2023-04-04 05:09:54 |
Wladimir Mutel |
bug |
|
|
added bug |
2023-04-04 05:11:10 |
Wladimir Mutel |
description |
I have a key with the following contents (key material replaced with ...) :
+ cat /etc/bind/Khost.+157+35878.key
host. IN KEY 0 3 157 YSp... ...QsQ==
+ cat /etc/bind/Khost.+157+35878.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: YSp......QsQ==
Bits: AAA=
Created: 20180616045813
Publish: 20180616045813
Activate: 20180616045813
it worked for long time, up till package version 1:9.18.1-1ubuntu1.3
but since upgrading to 1:9.18.12-0ubuntu0.22.04.1 , it stopped working with nsupdate giving out the following :
Creating key...
could not read key from /etc/bind/Khost.+157+35878.{private,key}: file not found
in strace printout, I see that nsupdate successfully opens .private key file but then checks existence of the same file name without suffix (as specified after nsupdate -k) and fails.
were there any changes in key parsing from 9.18.1 to 9.18.13 ?
reverting bind9-utils, bind9-dnsutils and bind9-libs back to 1:9.18.1-1ubuntu1.3 restored the desired behavior.
please advise if I should fix the key format after the upgrade, or if this is a regression to be fixed from your side. |
I have a key with the following contents (key material replaced with ...) :
+ cat /etc/bind/Khost.+157+35878.key
host. IN KEY 0 3 157 YSp... ...QsQ==
+ cat /etc/bind/Khost.+157+35878.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: YSp......QsQ==
Bits: AAA=
Created: 20180616045813
Publish: 20180616045813
Activate: 20180616045813
it worked for long time, up till package version 1:9.18.1-1ubuntu1.3
but since upgrading to 1:9.18.12-0ubuntu0.22.04.1 , it stopped working with nsupdate giving out the following :
Creating key...
could not read key from /etc/bind/Khost.+157+35878.{private,key}: file not found
in strace printout, I see that nsupdate successfully opens and reads .private key file but then checks existence of the same file name without suffix (as specified after nsupdate -k) and fails.
were there any changes in key parsing from 9.18.1 to 9.18.13 ?
reverting bind9-utils, bind9-dnsutils and bind9-libs back to 1:9.18.1-1ubuntu1.3 restored the desired behavior.
please advise if I should fix the key format after the upgrade, or if this is a regression to be fixed from your side. |
|
2023-04-05 22:16:44 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
2023-04-05 22:29:31 |
Sergio Durigan Junior |
bug task added |
|
bind |
|
2023-04-05 22:30:02 |
Sergio Durigan Junior |
bug watch added |
|
https://gitlab.isc.org/isc-projects/bind9/-/issues/3668 |
|
2023-04-05 22:31:00 |
Sergio Durigan Junior |
bind9 (Ubuntu): status |
New |
Triaged |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Kinetic |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
bug task added |
|
bind9 (Ubuntu Kinetic) |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
bug task added |
|
bind9 (Ubuntu Jammy) |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Lunar |
|
2023-04-05 22:31:44 |
Sergio Durigan Junior |
bug task added |
|
bind9 (Ubuntu Lunar) |
|
2023-04-05 22:31:50 |
Sergio Durigan Junior |
bind9 (Ubuntu Jammy): status |
New |
Triaged |
|
2023-04-05 22:31:53 |
Sergio Durigan Junior |
bind9 (Ubuntu Kinetic): status |
New |
Triaged |
|
2023-04-10 18:04:46 |
Andreas Hasenack |
tags |
|
regression-update |
|
2023-06-12 12:23:17 |
Robie Basak |
tags |
regression-update |
regression-update server-triage-discuss |
|
2023-06-14 15:08:58 |
Christian Ehrhardt |
tags |
regression-update server-triage-discuss |
regression-update server-todo |
|
2023-06-14 18:11:01 |
Lena Voytek |
bind9 (Ubuntu): assignee |
|
Lena Voytek (lvoytek) |
|
2023-06-14 18:11:04 |
Lena Voytek |
bind9 (Ubuntu Jammy): assignee |
|
Lena Voytek (lvoytek) |
|
2023-06-14 18:11:06 |
Lena Voytek |
bind9 (Ubuntu Kinetic): assignee |
|
Lena Voytek (lvoytek) |
|
2023-06-14 18:11:07 |
Lena Voytek |
bind9 (Ubuntu Lunar): assignee |
|
Lena Voytek (lvoytek) |
|
2023-06-21 15:12:22 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2023-06-28 15:27:03 |
Lena Voytek |
bug |
|
|
added subscriber Lena Voytek |
2023-06-28 15:28:44 |
Lena Voytek |
tags |
regression-update server-todo |
regression-update |
|
2023-09-05 22:56:48 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/450738 |
|
2023-09-16 03:10:13 |
Launchpad Janitor |
bind9 (Ubuntu): status |
Triaged |
Fix Released |
|
2023-09-19 13:59:40 |
Lena Voytek |
bind9 (Ubuntu Kinetic): status |
Triaged |
Won't Fix |
|
2023-09-19 13:59:42 |
Lena Voytek |
bind9 (Ubuntu Lunar): status |
Triaged |
In Progress |
|
2023-09-19 13:59:44 |
Lena Voytek |
bind9 (Ubuntu Jammy): status |
Triaged |
In Progress |
|
2023-09-19 20:09:12 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451681 |
|
2023-09-19 20:13:11 |
Lena Voytek |
merge proposal linked |
|
https://code.launchpad.net/~lvoytek/ubuntu/+source/bind9/+git/bind9/+merge/451683 |
|
2023-09-20 21:42:51 |
Lena Voytek |
description |
I have a key with the following contents (key material replaced with ...) :
+ cat /etc/bind/Khost.+157+35878.key
host. IN KEY 0 3 157 YSp... ...QsQ==
+ cat /etc/bind/Khost.+157+35878.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: YSp......QsQ==
Bits: AAA=
Created: 20180616045813
Publish: 20180616045813
Activate: 20180616045813
it worked for long time, up till package version 1:9.18.1-1ubuntu1.3
but since upgrading to 1:9.18.12-0ubuntu0.22.04.1 , it stopped working with nsupdate giving out the following :
Creating key...
could not read key from /etc/bind/Khost.+157+35878.{private,key}: file not found
in strace printout, I see that nsupdate successfully opens and reads .private key file but then checks existence of the same file name without suffix (as specified after nsupdate -k) and fails.
were there any changes in key parsing from 9.18.1 to 9.18.13 ?
reverting bind9-utils, bind9-dnsutils and bind9-libs back to 1:9.18.1-1ubuntu1.3 restored the desired behavior.
please advise if I should fix the key format after the upgrade, or if this is a regression to be fixed from your side. |
[Impact]
Bind9 upstream accidentally introduced a regression that made old HMAC-MD5 key pair files unreadable in version 9.18.8.
This capability was fixed with the release of 9.18.17 through https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/8069. This means the issue will be fixed alongside the MRE release of 9.18.18 in Lunar and Jammy.
The issue is fixed by restoring the missing files and pointing to them correctly.
[Test Plan]
To test that this fix specifically is successful, you can run:
# lxc launch ubuntu:{lunar, jammy} test-bind9
# lxc exec test-bind9 bash
# apt update && apt dist-upgrade -y
# apt install bind9
Create example key files since HMAC-MD5 is deprecated and creation of them was removed from focal onward
# cat <<EOF >Kexample.com.+157+15178.key
example.com. IN KEY 512 3 157 SItPKKvb7T9QEBRl9Mmrng==
EOF
# cat <<EOF >Kexample.com.+157+15178.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: SItPKKvb7T9QEBRl9Mmrng==
Bits: AAA=
Created: 20230920212628
Publish: 20230920212628
Activate: 20230920212628
EOF
# nsupdate -k Kexample.com.+157+15178.private
Prior to the fix, this results in something like:
20-Sep-2023 21:41:40.730 Kexample.com.+157+15178.private:1: unknown option 'Private-key-format:'
20-Sep-2023 21:41:40.730 Kexample.com.+157+15178.private:8: unexpected token near end of file
could not read key from Kexample.com.+157+15178.{private,key}: unexpected token
After the fix, the command should succeed with a possible deprecation warning:
20-Sep-2023 21:36:24.723 Kexample.com.+157+15178.private: Use of K* file pairs for HMAC is deprecated
[Where problems could occur]
Problems with this release would most likely occour outside the scope of this issue, as the MRE release includes many other fixes and updates alongside this. However, issues related directly to this change would likely revolve around other key files breaking or the HMAC-MD5 files not being restored properly to match their original state.
[Original Description]
I have a key with the following contents (key material replaced with ...) :
+ cat /etc/bind/Khost.+157+35878.key
host. IN KEY 0 3 157 YSp... ...QsQ==
+ cat /etc/bind/Khost.+157+35878.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: YSp......QsQ==
Bits: AAA=
Created: 20180616045813
Publish: 20180616045813
Activate: 20180616045813
it worked for long time, up till package version 1:9.18.1-1ubuntu1.3
but since upgrading to 1:9.18.12-0ubuntu0.22.04.1 , it stopped working with nsupdate giving out the following :
Creating key...
could not read key from /etc/bind/Khost.+157+35878.{private,key}: file not found
in strace printout, I see that nsupdate successfully opens and reads .private key file but then checks existence of the same file name without suffix (as specified after nsupdate -k) and fails.
were there any changes in key parsing from 9.18.1 to 9.18.13 ?
reverting bind9-utils, bind9-dnsutils and bind9-libs back to 1:9.18.1-1ubuntu1.3 restored the desired behavior.
please advise if I should fix the key format after the upgrade, or if this is a regression to be fixed from your side. |
|
2023-09-22 21:43:14 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Andreas Hasenack |
2023-09-29 20:32:41 |
Steve Langasek |
bind9 (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
2023-09-29 20:32:44 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2023-09-29 20:32:47 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2023-09-29 20:32:55 |
Steve Langasek |
tags |
regression-update |
regression-update verification-needed verification-needed-jammy |
|
2023-09-29 20:34:50 |
Steve Langasek |
bind9 (Ubuntu Lunar): status |
In Progress |
Fix Committed |
|
2023-09-29 20:34:55 |
Steve Langasek |
tags |
regression-update verification-needed verification-needed-jammy |
regression-update verification-needed verification-needed-jammy verification-needed-lunar |
|
2023-09-29 22:53:49 |
Lena Voytek |
tags |
regression-update verification-needed verification-needed-jammy verification-needed-lunar |
regression-update verification-done verification-done-jammy verification-done-lunar |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
bind9 (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-2828 |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-2911 |
|
2023-10-26 14:41:28 |
Launchpad Janitor |
cve linked |
|
2023-3341 |
|
2023-10-26 14:41:40 |
Robie Basak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2023-10-26 14:44:29 |
Launchpad Janitor |
bind9 (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|